seancorfield
commented
2 years ago Since it was only a test dependency, it wasn't a vector for an attack so it was low on my list as I worked to update other libraries over the weekend but thanks for noticing it.
I've just pushed a fairly comprehensive update of several build/test dependencies that includes this.
Update log4j to patch for vulnerability found where arbitrary code execution can occur.
See: https://nvd.nist.gov/vuln/detail/CVE-2021-44228