-
Notifications
You must be signed in to change notification settings - Fork 40.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Spring boot 2.7.x does not work with logback 1.3.x (Java 8) #34708
Comments
@LSmyrnaios Thanks for getting in touch. Spring Boot 2.7.x has a managed dependency for Logback 1.2.x. As stated in our third-party upgrade policy, we won't upgrade to a new minor version like Logback 1.3.x in a patch release of 2.7.x. As you've noted, we'd not only have to upgrade to Logback 1.3.x but also to SLF4j 2.0.x. There is an issue that discusses why we can't do that in 2.7.x, let alone in a patch release. |
Running maven-enforcer-plugin on a project, rule requireUpperBoundDeps, shows that Hikari has a dependency with SLF4J 2.0.0-alpha1:
|
With the oportunity of continuing the discussion, @scottfrederick , I would like to ask if there is a possibility of upgrading to SLF4J v.2.0.x and logback v.1.3.x in the next big release of Spring Boot 2, v.2.8.0 (if such release is planned at all). This is quite important for a lot of users running Java 8 and want the latest security and bug fixes for production systems. |
We have no plans for a Spring Boot 2.8 at this time. |
The problem is now there is a vulnerability in logback 1.2.12 cve-2023-6378 and there is no solution for SB 2.7.x users. |
Use logback version 1.2.13 |
Hi,
Since logback moved to the new versions' scheme 1.3.x for Java 8 and 1.4.x for Java-11, Spring Boot has only integrate logback 1.4.x into version 3.x.x (which uses Java-11).
Java-8 users have been left behind.
As logback documentation proves, logback creates new releases simultaneously for versions 1.3.x and 1.4.x
That said, versions 1.3.x are "active" and Spring Boot 2.7.x should integrate them.
Please consider the following use-case:
I have a Java-8 app which uses logback v.1.3.6 and runs fine.
Now I want to load that app into a Spring Boot app, as a dependency, which using Spring Boot v.2.7.9.
When running gradle buildRun, I get the following error:
It seems that Spring Boot uses slf4j 1.7.x, but logback 1.3.x uses slf4j 2.0.x, so the "StaticLoggerBinder" class is missing.
So, could you please add support for logback v.1.3.x in Spring Boot versions >= 2.7.x and < 3 ?
Thank you in advance.
The text was updated successfully, but these errors were encountered: