[Snyk] Upgrade ch.qos.logback:logback-classic from 1.4.12 to 1.5.22

[sajith-subramanian]

Snyk has created this PR to upgrade ch.qos.logback:logback-classic from 1.4.12 to 1.5.22.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 25 versions ahead of your current version.

• The recommended version was released a month ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Uncontrolled Resource Consumption ('Resource Exhaustion') SNYK-JAVA-CHQOSLOGBACK-6097493	61	No Known Exploit
	Uncontrolled Resource Consumption ('Resource Exhaustion') SNYK-JAVA-CHQOSLOGBACK-6097492	61	No Known Exploit
	External Initialization of Trusted Variables or Data Stores SNYK-JAVA-CHQOSLOGBACK-13169722	61	No Known Exploit
	Improper Neutralization of Special Elements SNYK-JAVA-CHQOSLOGBACK-8539866	61	No Known Exploit
	Improper Neutralization of Special Elements SNYK-JAVA-CHQOSLOGBACK-8539867	61	No Known Exploit
	Server-side Request Forgery (SSRF) SNYK-JAVA-CHQOSLOGBACK-8539865	61	No Known Exploit

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[Copilot]

Pull request overview

This PR upgrades the ch.qos.logback:logback-classic dependency from version 1.4.12 to 1.5.22 to address multiple security vulnerabilities ranging from low to high severity.

Changes:

• Upgraded logback dependency version to patch 6 security vulnerabilities including resource exhaustion, SSRF, and improper neutralization issues

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[sajith-subramanian]

This upgrade to Logback 1.5.x is mostly a drop-in replacement for the 1.4.x series, but it contains specific breaking changes that require attention.

• DBAppender: The database schema has changed. If you use DBAppender, you must alter your logging tables to add four new columns (arg0, arg1, arg2, arg4). [1]
• JaninoEventEvaluator: This component has been removed. Configurations using it for conditional logging must be migrated. [1, 8]

While most common configurations (file and console appenders) are unaffected, the risk is medium due to the manual intervention required for the above components.

Source: Logback News

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.