Closed LSmyrnaios closed 1 year ago
@LSmyrnaios Thanks for getting in touch. Spring Boot 2.7.x has a managed dependency for Logback 1.2.x. As stated in our third-party upgrade policy, we won't upgrade to a new minor version like Logback 1.3.x in a patch release of 2.7.x. As you've noted, we'd not only have to upgrade to Logback 1.3.x but also to SLF4j 2.0.x. There is an issue that discusses why we can't do that in 2.7.x, let alone in a patch release.
Running maven-enforcer-plugin on a project, rule requireUpperBoundDeps, shows that Hikari has a dependency with SLF4J 2.0.0-alpha1:
[ERROR] +-org.springframework.boot:spring-boot-starter-data-jpa:2.7.11 [ERROR] +-org.springframework.boot:spring-boot-starter-jdbc:2.7.11 (managed) <-- org.springframework.boot:spring-boot-starter-jdbc:2.7.11 [ERROR] +-com.zaxxer:HikariCP:4.0.3 (managed) <-- com.zaxxer:HikariCP:4.0.3 [ERROR] +-org.slf4j:slf4j-api:1.7.36 (managed) <-- org.slf4j:slf4j-api:2.0.0-alpha1
With the oportunity of continuing the discussion, @scottfrederick , I would like to ask if there is a possibility of upgrading to SLF4J v.2.0.x and logback v.1.3.x in the next big release of Spring Boot 2, v.2.8.0 (if such release is planned at all).
This is quite important for a lot of users running Java 8 and want the latest security and bug fixes for production systems. Thank you in advance.
We have no plans for a Spring Boot 2.8 at this time.
The problem is now there is a vulnerability in logback 1.2.12 cve-2023-6378 and there is no solution for SB 2.7.x users.
@ASarco See https://github.com/qos-ch/logback/issues/745
Use logback version 1.2.13
Hi,
Since logback moved to the new versions' scheme 1.3.x for Java 8 and 1.4.x for Java-11, Spring Boot has only integrate logback 1.4.x into version 3.x.x (which uses Java-11).
Java-8 users have been left behind.
As logback documentation proves, logback creates new releases simultaneously for versions 1.3.x and 1.4.x That said, versions 1.3.x are "active" and Spring Boot 2.7.x should integrate them.
Please consider the following use-case:
I have a Java-8 app which uses logback v.1.3.6 and runs fine. Now I want to load that app into a Spring Boot app, as a dependency, which using Spring Boot v.2.7.9. When running gradle buildRun, I get the following error:
It seems that Spring Boot uses slf4j 1.7.x, but logback 1.3.x uses slf4j 2.0.x, so the "StaticLoggerBinder" class is missing.
So, could you please add support for logback v.1.3.x in Spring Boot versions >= 2.7.x and < 3 ?
Thank you in advance.