Skip to content

Bump the logback group across 1 directory with 2 updates#586

Merged
dannil merged 1 commit into
devfrom
dependabot/maven/logback-32a456049c
Jun 6, 2026
Merged

Bump the logback group across 1 directory with 2 updates#586
dannil merged 1 commit into
devfrom
dependabot/maven/logback-32a456049c

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 6, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps the logback group with 2 updates in the / directory: ch.qos.logback:logback-core and ch.qos.logback:logback-classic.

Updates ch.qos.logback:logback-core from 1.5.33 to 1.5.34

Release notes

Sourced from ch.qos.logback:logback-core's releases.

Logback 1.5.34

2026-06-01 Release of logback version 1.5.34

• In case certain StackTraceElement values returned by the Throwable.getStackTrace method are null, StackTraceElementProxy substitutes a dummy instance instead of throwing an IllegalArgumentException. This resolves [issues #1040](qos-ch/logback#1040), reported by Naotsugu Kobayashi.

• HardenedObjectInputStream will now throw an InvalidClassException during deserialization attempts of Proxy classes. This change addresses potential deserialization whitelist bypass vulnerability reported by York Shen and registered as CVE-2026-10532.

• A bitwise identical binary of this version can be reproduced by building from source code at commit e62272ac152469aec1ede056c3c7d0d7314e7bfe associated with the tag v_1.5.34. This release was built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Commits
  • e62272a prepare release 1.5.34
  • 1e9e926 add resolveProxyClassRejectsDynamicProxies unit test
  • 2de5cbe added StackTraceElementProxyTest, minor edits to AGENTS.md
  • 0e9b927 in case StackTraceElement is null use a substitute, fixing issues/1040
  • f7a0654 prevent resolveProxyClass bypass
  • 249b81f docs are no longer distributed
  • 1c3b26a start work on 1.5.34-SNAPSHOT
  • See full diff in compare view

Updates ch.qos.logback:logback-classic from 1.5.33 to 1.5.34

Release notes

Sourced from ch.qos.logback:logback-classic's releases.

Logback 1.5.34

2026-06-01 Release of logback version 1.5.34

• In case certain StackTraceElement values returned by the Throwable.getStackTrace method are null, StackTraceElementProxy substitutes a dummy instance instead of throwing an IllegalArgumentException. This resolves [issues #1040](qos-ch/logback#1040), reported by Naotsugu Kobayashi.

• HardenedObjectInputStream will now throw an InvalidClassException during deserialization attempts of Proxy classes. This change addresses potential deserialization whitelist bypass vulnerability reported by York Shen and registered as CVE-2026-10532.

• A bitwise identical binary of this version can be reproduced by building from source code at commit e62272ac152469aec1ede056c3c7d0d7314e7bfe associated with the tag v_1.5.34. This release was built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Commits
  • e62272a prepare release 1.5.34
  • 1e9e926 add resolveProxyClassRejectsDynamicProxies unit test
  • 2de5cbe added StackTraceElementProxyTest, minor edits to AGENTS.md
  • 0e9b927 in case StackTraceElement is null use a substitute, fixing issues/1040
  • f7a0654 prevent resolveProxyClass bypass
  • 249b81f docs are no longer distributed
  • 1c3b26a start work on 1.5.34-SNAPSHOT
  • See full diff in compare view

@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 6, 2026
@dependabot
Bump the logback group across 1 directory with 2 updates
ba8c29d 
Bumps the logback group with 2 updates in the / directory: [ch.qos.logback:logback-core](https://github.com/qos-ch/logback) and [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback).


Updates `ch.qos.logback:logback-core` from 1.5.33 to 1.5.34
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](qos-ch/logback@v_1.5.33...v_1.5.34)

Updates `ch.qos.logback:logback-classic` from 1.5.33 to 1.5.34
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](qos-ch/logback@v_1.5.33...v_1.5.34)

---
updated-dependencies:
- dependency-name: ch.qos.logback:logback-classic
  dependency-version: 1.5.34
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: logback
- dependency-name: ch.qos.logback:logback-core
  dependency-version: 1.5.34
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: logback
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title Bump the logback group with 2 updates Bump the logback group across 1 directory with 2 updates Jun 6, 2026
@dependabot dependabot Bot force-pushed the dependabot/maven/logback-32a456049c branch from 87e78bd to ba8c29d Compare June 6, 2026 06:21
@dannil dannil merged commit ed92ad5 into dev Jun 6, 2026
3 checks passed
@dependabot dependabot Bot deleted the dependabot/maven/logback-32a456049c branch June 6, 2026 06:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dannil