Update to safe log4j2/SLF4J2 version?

[respatialized]

Hello, @kachayev -

Thanks for writing nasus. It's really nice to be able to add an optional HTTP static file server to basically any project with a single deps.edn alias for it.

With all the buzz around CVE-2021-44228, I was doing an audit of some of my projects' dependencies and I did notice that nasus uses log4j.

As I note in one of my commit messages, this appears not to be a safety-critical upgrade for nasus; the 1.x branch of log4j contained no vulnerability to CVE-2021-44228, and CVE-2021-4104 only applies to applications using log4j 1.x versions with JMSAppender enabled (which it wasn't here), so there is no evidence that any nasus HTTP servers were affected by these vulnerabilities.

Nevertheless, I took it as an opportunity to update to the current safest version of log4j2, as log4j 1.x has reached end of life. I informally verified that the logging configuration continues to have the expected behavior after updating the properties file to the log4j2 format, and the test suite passes.

If you'd prefer not to merge this PR, that's fine too. But I figured I would at least offer it up as a way of giving back to a project that's been pretty useful to me over the past couple of years. Happy also to incorporate any feedback you may have.

[kachayev]

Hey @respatialized!

Thanks a lot for the PR. I didn't pay much of attention to the vulnerabilities as the project uses older versions of the library, as you've rightfully mentioned. Though you are absolutely right, - it makes sense to keep dependencies up to date.

I'm going to merge PR now. Will cut a new release version as soon as I'm back from the holidays trip.

Thanks a lot!