eresende-nuodb
commented
1 year ago @rshaull We were using slf4j-log4j12 package which has been moved to slf4j-reload4j. From there we followed the dependency trail. I'm not sure what you mean by "log4j-1.2 compatibility layer", but if that is a better solution, I'm ok with it. As of today, reload4j does not have any reported vulnerabilities on the compile dependencies. There's one vulnerability on one of the testing dependencies only.
It's not clear to me why this is better than the log4j-1.2 compatibility layer, but it's fine with me provided we trust reload4j and it doesn't have its own security vulnerabilities.