deps: update dependency ch.qos.logback:logback-core to v1.5.25 [security] #4079
Conversation
trusted-contributions-gcf
bot
added
the
kokoro:force-run
Summary of ChangesHello @renovate-bot, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request focuses on enhancing the security posture of the application by upgrading a critical logging library. The update addresses a known vulnerability, ensuring that the system is protected against potential exploits related to configuration file processing. This is a proactive measure to maintain the integrity and safety of the codebase. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request correctly updates ch.qos.logback:logback-core to version 1.5.25 to address the security vulnerability CVE-2026-1225. The change is appropriate. I've added one comment regarding an outdated code comment that should be updated to prevent future confusion for developers.
| <gapic-showcase.version>0.36.2</gapic-showcase.version> | ||
| <!-- This is the last version supporting slf4j 1.x, do not upgrade --> | ||
| <slf4j1-logback.version>1.2.13</slf4j1-logback.version> | ||
| <slf4j1-logback.version>1.5.25</slf4j1-logback.version> |
There was a problem hiding this comment.
The comment on the preceding line is now incorrect with this upgrade to version 1.5.25. While Logback versions 1.3.x and 1.4.x require SLF4J 2.x, the new 1.5.x series (like the older 1.2.x series) is compatible with SLF4J 1.x.
To avoid future confusion, I recommend updating the comment on line 21. For example:
<!-- logback-classic 1.3.x/1.4.x requires slf4j-api 2.x. The 1.2.x and 1.5.x series support slf4j-api 1.x -->Alternatively, you could remove the comment.
1 participant
This PR contains the following updates:
1.2.13→1.5.25Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2026-1225
ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file.
The instantiation of a potentially malicious Java class requires that said class is present on the user's class-path. In addition, the attacker must have write access to a configuration file. However, after successful instantiation, the instance is very likely to be discarded with no further ado.
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.