FI-2019: bump dependencies to address vulnerabilities #63
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR makes the following changes to the app dependencies:
slf4j-log4j12
withslf4j-reload4j
to address potential security vulnerabilities in the nested log4j dependency.slf4j-log4j12
brought in log4j v1.2 which is very old (the major vulnerability from 2021 "Log4shell" was introduced in v2 so this was even older than that), andslf4j-reload4j
instead brings in "reload4j" which is a fork of log4j 1.x intended to focus on addressing security issues rather than adding features. SLF4J has other log provider options but this one should be a drop-in replacement with no changes needed elsewhere../gradlew dependencies
which shows the full dependency tree of the app) For some reason though okhttp is needed but does not get included automatically, I didn't look too deep into that.I also noticed spark is out of date, but the most recent release is also out of date and the library seems to be no longer maintained so I didn't bother: https://github.com/perwendel/spark
There are options to replace that if we decide we need to someday, for example https://github.com/javalin/javalin
Testing Guidance
The main impact, if any, should be to logging - make sure the app still logs to console as expected.
Still I would recommend confirming validation works both with and without a terminology server because issues with the dependencies may not present until they are called (even if it compiles)