alexcjohnson
commented
2 years ago It's a little confusing to be sure... but dash-bio uses the JavaScript package igv.js, which is based on but distinct from the original igv Java application. Log4j is a Java problem and doesn't apply to JavaScript.
see thread here. It appears that the vulnerability is addressed in versions > 2.11.8.
According to the package.json and package-info.json it looks like dash-bio uses an older version (i.e. IGV 2.6.8).
I dunno whether this is a problem...