Shadow plugin dependency should be updated to 7.1.1 for mitigating the log4j CVE
jrddunbr opened this issue ยท 1 comments
Hello,
I noticed that you are not using the recently updated version of the Shadow plugin that is patched for the log4j CVE. It doesn't seem to impact the security of the mod jar itself, because you don't shadow in log4j into your jars (at least, not that I could see), but for completeness you may want to update to Shadow 7.1.1.
https://github.com/johnrengelman/shadow/releases/tag/7.1.1
I'd submit a PR if it was a simple version bump, but it looks like there are possibly breaking changes between shadow 6 and shadow 7, so I don't have the time right now to actually test that.
Fantastic mod, btw. Thanks for making it :)