Conversation
Bumps [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) from 1.5.23 to 1.5.24. - [Release notes](https://github.com/qos-ch/logback/releases) - [Commits](qos-ch/logback@v_1.5.23...v_1.5.24) --- updated-dependencies: - dependency-name: ch.qos.logback:logback-classic dependency-version: 1.5.24 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
📝 WalkthroughWalkthroughUpdated Logback dependencies in the HDFS test fixture: Changes
Sequence Diagram(s)(omitted — change is a dependency version bump; no new multi-component control flow) Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. 📜 Recent review detailsConfiguration used: defaults Review profile: CHILL Plan: Pro 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (21)
Comment |
Signed-off-by: dependabot[bot] <support@github.com>
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In @CHANGELOG.md:
- Line 62: The CHANGELOG is missing a matching entry for logback-core; add a
line mirroring the existing logback-classic entry to document that
ch.qos.logback:logback-core was bumped from 1.5.23 to 1.5.24 (use the same PR
reference as the logback-classic entry), ensuring consistency with the update
made in test/fixtures/hdfs-fixture/build.gradle and using the same formatting as
the existing changelog line for logback-classic.
📜 Review details
Configuration used: defaults
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
CHANGELOG.md
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (21)
- GitHub Check: gradle-check
- GitHub Check: precommit (25, ubuntu-24.04-arm)
- GitHub Check: detect-breaking-change
- GitHub Check: precommit (25, ubuntu-latest)
- GitHub Check: precommit (21, macos-15)
- GitHub Check: precommit (25, windows-latest)
- GitHub Check: precommit (25, macos-15)
- GitHub Check: precommit (21, ubuntu-latest)
- GitHub Check: precommit (21, windows-2025, true)
- GitHub Check: precommit (21, macos-15-intel)
- GitHub Check: precommit (21, ubuntu-24.04-arm)
- GitHub Check: precommit (25, macos-15-intel)
- GitHub Check: precommit (21, windows-latest)
- GitHub Check: dependabot
- GitHub Check: assemble (25, ubuntu-24.04-arm)
- GitHub Check: assemble (21, windows-latest)
- GitHub Check: assemble (21, ubuntu-24.04-arm)
- GitHub Check: assemble (25, ubuntu-latest)
- GitHub Check: assemble (25, windows-latest)
- GitHub Check: assemble (21, ubuntu-latest)
- GitHub Check: Analyze (java)
| - Bump `org.jline:jline` from 3.30.5 to 3.30.6 ([#20369](https://github.com/opensearch-project/OpenSearch/pull/20369)) | ||
| - Bump `lycheeverse/lychee-action` from 2.6.1 to 2.7.0 ([#20370](https://github.com/opensearch-project/OpenSearch/pull/20370)) | ||
| - Bump `opensearch-protobufs` from 1.0.0 to 1.1.0 and update transport-grpc module compatibility ([#20396](https://github.com/opensearch-project/OpenSearch/pull/20396)) | ||
| - Bump `ch.qos.logback:logback-classic` from 1.5.23 to 1.5.24 ([#20407](https://github.com/opensearch-project/OpenSearch/pull/20407)) |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Check if logback-core and logback-classic versions in the build file
fd -t f "build.gradle" test/fixtures/hdfs-fixture/ | head -5Repository: opensearch-project/OpenSearch
Length of output: 112
🏁 Script executed:
#!/bin/bash
# Search for logback dependency versions in build.gradle
rg "logback-(core|classic)" test/fixtures/hdfs-fixture/build.gradle -A 2 -B 2Repository: opensearch-project/OpenSearch
Length of output: 533
🌐 Web query:
logback 1.5.24 release date security advisories CVE
💡 Result:
-
Release date for Logback 1.5.24: Jan 6, 2026. [1]
-
Known/security CVEs relevant to the 1.5.x line (and their fixed versions):
- CVE-2024-12798 (Expression Language injection) — affected <1.5.13; fixed in 1.5.13 and later. [2]
- CVE-2024-12801 (SSRF via SaxEventRecorder) — affected 1.4.0 through 1.5.12; fixed in 1.5.13 and later. [3]
- CVE-2025-11226 (arbitrary code execution in conditional configuration processing) — affects versions up to 1.5.18; patched in 1.5.19 and later (therefore 1.5.24 includes the fix). [4][5]
If you want, I can fetch the official logback news/changelog entries showing the specific commits/notes for each fix.
Sources:
[1] mvnrepository — logback-classic 1.5.24 (Jan 06, 2026).
[2] GitLab advisory / logback-core CVE-2024-12798 (fixed in 1.5.13).
[3] GitLab advisory / logback-core CVE-2024-12801 (fixed in 1.5.13).
[4] GitHub Advisory / GHSA (CVE-2025-11226) — affected <=1.5.18, patched in 1.5.19.
[5] NVD entry for CVE-2025-11226.
Add CHANGELOG entry for logback-core bump to 1.5.24.
Both logback-core and logback-classic were updated to 1.5.24 in test/fixtures/hdfs-fixture/build.gradle, but the CHANGELOG only documents the logback-classic update. A corresponding entry for logback-core should be added to maintain consistency and completeness in the changelog.
🤖 Prompt for AI Agents
In @CHANGELOG.md at line 62, The CHANGELOG is missing a matching entry for
logback-core; add a line mirroring the existing logback-classic entry to
document that ch.qos.logback:logback-core was bumped from 1.5.23 to 1.5.24 (use
the same PR reference as the logback-classic entry), ensuring consistency with
the update made in test/fixtures/hdfs-fixture/build.gradle and using the same
formatting as the existing changelog line for logback-classic.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #20407 +/- ##
============================================
- Coverage 73.29% 73.26% -0.04%
+ Complexity 71816 71810 -6
============================================
Files 5793 5793
Lines 328644 328644
Branches 47313 47313
============================================
- Hits 240890 240769 -121
- Misses 68404 68505 +101
- Partials 19350 19370 +20 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
…/ch.qos.logback-logback-classic-1.5.24 Signed-off-by: Craig Perkins <cwperx@amazon.com>
|
❌ Gradle check result for 0045521: null Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
|
❌ Gradle check result for 0045521: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
|
❌ Gradle check result for 0045521: null Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
|
❌ Gradle check result for 0045521: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
|
❌ Gradle check result for 0045521: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
|
❌ Gradle check result for 0045521: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
|
❌ Gradle check result for 0045521: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
|
❌ Gradle check result for 0045521: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
|
❌ Gradle check result for 0045521: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
|
❌ Gradle check result for 0045521: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
|
❌ Gradle check result for 0045521: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
…xtures/hdfs-fixture (opensearch-project#20407) * Bump ch.qos.logback:logback-classic in /test/fixtures/hdfs-fixture Bumps [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) from 1.5.23 to 1.5.24. - [Release notes](https://github.com/qos-ch/logback/releases) - [Commits](qos-ch/logback@v_1.5.23...v_1.5.24) --- updated-dependencies: - dependency-name: ch.qos.logback:logback-classic dependency-version: 1.5.24 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * Update changelog Signed-off-by: dependabot[bot] <support@github.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Craig Perkins <cwperx@amazon.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Craig Perkins <cwperx@amazon.com>
…xtures/hdfs-fixture (opensearch-project#20407) * Bump ch.qos.logback:logback-classic in /test/fixtures/hdfs-fixture Bumps [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) from 1.5.23 to 1.5.24. - [Release notes](https://github.com/qos-ch/logback/releases) - [Commits](qos-ch/logback@v_1.5.23...v_1.5.24) --- updated-dependencies: - dependency-name: ch.qos.logback:logback-classic dependency-version: 1.5.24 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * Update changelog Signed-off-by: dependabot[bot] <support@github.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Craig Perkins <cwperx@amazon.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Craig Perkins <cwperx@amazon.com>
Bumps ch.qos.logback:logback-classic from 1.5.23 to 1.5.24.
Release notes
Sourced from ch.qos.logback:logback-classic's releases.
Commits
62bc5fcprepare release 1.5.24aac604dtypo fix of local variable name8a6df9eExpressionPropertyCondition constructor should be public95e588cminor changes in ExpressionPropertyCondition859f5a1added ExpressionPropertyCondition capable of parsing logical expressions on p...348075astart work on 1.5.24-SNAPSHOTDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)Summary by CodeRabbit
✏️ Tip: You can customize this high-level summary in your review settings.