[Snyk] Fix for 1 vulnerabilities

[ayusuf-mq]

Snyk has created this PR to fix 1 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

• samples/openapi3/client/petstore/jaxrs-cxf-client-jackson-nullable/pom.xml

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score	Upgrade
	External Initialization of Trusted Variables or Data Stores SNYK-JAVA-CHQOSLOGBACK-15062482	290	ch.qos.logback:logback-classic: 1.1.7 -> 1.5.25 ch.qos.logback:logback-core: 1.1.7 -> 1.5.25 No Path Found No Known Exploit

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

[ayusuf-mq]

This major version upgrade from 1.1.7 to 1.5.25 spans multiple breaking releases and requires significant dependency and configuration updates. Key changes include a mandatory upgrade to SLF4J 2.0, a higher Java baseline, and a switch from Java EE to Jakarta EE namespaces.

Highlights:

• Update SLF4J API: Logback 1.3.x and newer require SLF4J 2.0.x, which is a breaking change from the 1.7.x API used by Logback 1.2.x and older. Ensure all SLF4J bindings are updated.
• Update Java Version: The target version 1.5.25 requires Java 11 or later at runtime.
• Check Namespace Changes: Optional components like SMTPAppender now depend on the jakarta.* namespace, replacing the previous javax.* namespace from version 1.4.x onwards.

Source: Logback documentation
Recommendation: Carefully audit all dependencies to ensure compatibility with SLF4J 2.0.x. Update Java to version 11+ and revise configurations using optional components for the new Jakarta EE namespace before merging.

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[ayusuf-mq]

This is a major upgrade across multiple significant versions (1.1.7 → 1.5.25) that introduces several breaking changes, including new Java version requirements, SLF4J API updates, and changes to the configuration system.

Highlights:

• Java Version Requirement: Logback 1.4.x and newer require Java 11, while version 1.3.x requires Java 8. The original version 1.1.7 was compatible with older Java versions.
• Configuration & API Changes: The internal configuration system (Joran) was rewritten in version 1.3, which may affect custom code that interacts with it. Additionally, support for Groovy configuration and JaninoEventEvaluator has been removed.

Source: Logback documentation
Recommendation: A staged upgrade is highly recommended. First, ensure the application is running on at least Java 11. Then, update to Logback 1.3.x and SLF4J 2.0.x, address any configuration issues, and finally upgrade to 1.5.x. Thoroughly test logging behavior after the upgrade.

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.