Skip to content

Upgrade Log4j to 2.25.2 #3603

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Upgrade Log4j to 2.25.2 #3603

wants to merge 7 commits into from

Conversation

ppkarwasz
Copy link

This PR updates all Log4j artifacts to version 2.25.1 and includes a few related cleanups:

  • Supersedes Update apache.log4j to v2.25.2 #3079.

  • Removes explicit dependencies on osgi.annotation and biz.aQute.bnd.annotation.

    • Since Log4j 2.25.0, Gradle Module Metadata automatically adds these as transitive compile-only dependencies, so declaring them directly is no longer needed.
    • This still avoids -Xlint:classfile compiler warnings without extra dependencies.

  • Excludes spotbugs-annotations (brought in transitively via Apache POI).

    • It is not required for the build and causes license check failures, because SpotBugs (and its annotations) are LGPL-2.1 licensed.

Checklist

Please review the following and check all that apply:

  • I have reviewed the guidelines for How to Contribute and my code conforms to the standards described there to the best of my ability.
  • I have created a Jira issue and added the issue ID to my pull request title.
  • I have given Solr maintainers access to contribute to my PR branch. (optional but recommended, not available for branches on forks living under an organisation)
  • I have developed this patch against the main branch.
  • I have run ./gradlew check.
  • I have added tests for my changes.
  • I have added documentation for the Reference Guide

solrbot and others added 3 commits September 2, 2025 15:11
@solrbot @ppkarwasz
Update apache.log4j to v2.25.1
898d71b
@ppkarwasz
fix: drop redundant annotation libraries
0515c99 
Remove explicit dependencies on `osgi.annotation` and `biz.aQute.bnd.annotation`. Since Log4j 2.25.0, all artifacts publish Gradle Module Metadata that brings in these annotation libs as transitive compile-only dependencies, avoiding `-Xlint:classfile` warnings without needing to declare them directly.
@ppkarwasz
fix: exclude SpotBugs annotations from transitive deps
ef873f3 
Remove `spotbugs-annotations` pulled in via Apache POI as a transitive **compile-only** dependency. It is not required for the build but triggers license check failures because SpotBugs (including its annotations) is licensed under LGPL-2.1.
@ppkarwasz ppkarwasz mentioned this pull request Sep 2, 2025
Open
1 task
janhoy
janhoy reviewed Sep 2, 2025
View reviewed changes
Copy link
Contributor

@janhoy janhoy left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Quick view, looks great, thanks for diving in. Note that when the PR is not authored by solrbot, it will not be auto included in CHANGES.txt "Dependency upgrades" section, so you'll have to add a line there yourself.

@ppkarwasz ppkarwasz marked this pull request as draft September 3, 2025 09:58
@risdenk risdenk mentioned this pull request Sep 3, 2025
Closed
@risdenk
Copy link
Contributor

risdenk commented Sep 3, 2025

FYI #2895 was another attempt prior to this. There was a comment about licenses needing to be reviewed as well. #2895

risdenk
risdenk reviewed Sep 3, 2025
View reviewed changes
@ppkarwasz
Copy link
Author

I switched this PR to draft, since we have scheduled a release 2.25.2 for next Monday, so I see no reason to upgrade twice.

@ppkarwasz ppkarwasz changed the title Upgrade Log4j to 2.25.1 Upgrade Log4j to 2.25.2 Sep 23, 2025
@ppkarwasz ppkarwasz marked this pull request as ready for review September 23, 2025 12:34
@ppkarwasz ppkarwasz requested review from janhoy and risdenk September 23, 2025 13:07
@ppkarwasz
Copy link
Author

We released version 2.25.2 (the last of the 2.25.x series) yesterday. I updated the PR to the new version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@janhoy janhoy Awaiting requested review from janhoy

@risdenk risdenk Awaiting requested review from risdenk

Assignees

No one assigned

Labels

admin-ui cat:api client:solrj dependencies Dependency upgrades documentation Improvements or additions to documentation module:clustering module:extraction module:gcs-repository module:jwt-auth module:langid module:ltr module:opentelemetry module:s3-repository module:scripting module:sql prometheus-exporter test-framework tool:build

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ppkarwasz @risdenk @janhoy @solrbot