![]() Now if I look at the source of my project, I only see I depend on Package A, no log4j here! But that doesn’t tell me anything about all the things that will end up in my project after it gets built and Package A pulls in its dependencies. You can imagine one of these could be log4j. I also end up with Packages B and C installed. ![]() Pulling in one dependency could end up actually pulling in 3, because the package you want depends on two different packages. We’ve all heard about how dependencies also have dependencies. The weird thing about Java projects is even if you aren’t using log4j, it could be in you project. If you have a java project, the very first thing you probably did was check to see if you are pulling in log4j as a dependency. What I’ve not seen is a good explanation about why knowing if you are using log4j is hard, and fixing it will be even harder than finding it. I’ll spare you repeating the details of the issue, there are many many stories about it at this point. It’s being called Log4Shell which is a great name. If you pay attention to tech news, you know what’s going on with log4j right now.
0 Comments
Leave a Reply. |