[Snyk] Fix for 1 vulnerabilities

[ayusuf-mq]

Snyk has created this PR to fix 1 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

• samples/client/petstore/jaxrs-cxf-client-jackson/pom.xml

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score	Upgrade
	External Initialization of Trusted Variables or Data Stores SNYK-JAVA-CHQOSLOGBACK-15062482	290	ch.qos.logback:logback-classic: 1.2.0 -> 1.5.25 ch.qos.logback:logback-core: 1.2.0 -> 1.5.25 No Path Found No Known Exploit

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

[ayusuf-mq]

This upgrade from Logback 1.2.0 to 1.5.25 is high-risk and introduces multiple significant breaking changes. It requires a Java version update, a mandatory SLF4J upgrade, and has breaking changes related to database logging schemas and the configuration API.

Highlights:

• Java and SLF4J Requirements: The upgrade requires at least Java 11 and SLF4J 2.0.x. Version 1.2.x is end-of-life and was compatible with older Java versions.
• API and Configuration Changes: Code that programmatically interacts with Logback's internal configuration system (Joran) will break due to a rewrite in version 1.3. Additionally, the DBAppender schema has changed, requiring the addition of four new columns to existing database tables.

Source: Logback documentation
Recommendation: Before merging, verify the Java and SLF4J versions. Developers must review any custom programmatic configuration and update their DBAppender database schema if it is in use. Also, check for usage of optional components like SMTPAppender which now use the jakarta.* namespace instead of javax.*.

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[ayusuf-mq]

This upgrade from Logback 1.2.0 to 1.5.25 is high-risk and includes multiple significant breaking changes. It requires a Java version update, a namespace migration for enterprise components, and an update to SLF4J 2.x. Several configuration features have been removed or altered.

Highlights:

• Java & Jakarta EE Migration: The upgrade requires a move from Java 8 to Java 11. Optional components like SMTPAppender have migrated from Java EE (javax.*) to Jakarta EE (jakarta.*) namespace, which will break existing integrations.
• Removed Configuration Features: Support for Groovy configuration files was removed. Additionally, JaninoEventEvaluator was removed for security reasons in version 1.5.13, breaking conditional logic in logging configurations.

Source: Logback documentation
Recommendation: Thoroughly review your Logback configuration files (logback.xml) and any custom programmatic configuration. Plan for the required Java, SLF4J, and Jakarta EE dependency updates before merging.

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.