deps: update dependency ch.qos.logback:logback-core to v1.5.19 [security]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
ch.qos.logback:logback-core (source, changelog)	1.2.13 -> 1.5.19

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-11226

QOS.CH logback-core versions up to 1.5.18 contain an ACE vulnerability in conditional configuration file processing in Java applications. This vulnerability allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting a malicious environment variable before program execution.

A successful attack requires the Janino library and Spring Framework to be present on the user's class path. Additionally, the attacker must have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privileges.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[gemini-code-assist]

Summary of Changes

Hello @renovate-bot, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request is a critical dependency update for logback-core, moving from version 1.2.13 to 1.5.19. The primary motivation for this update is to patch a recently identified security vulnerability, CVE-2025-11226, which could potentially lead to arbitrary code execution. By integrating this newer version, the project enhances its security posture against known exploits related to logback configuration processing.

Highlights

• Dependency Update: Updates the ch.qos.logback:logback-core dependency from version 1.2.13 to 1.5.19.
• Security Fix: Addresses the CVE-2025-11226 vulnerability in logback-core, which could allow arbitrary code execution under specific conditions.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This PR aims to fix a security vulnerability by updating ch.qos.logback:logback-core. However, the chosen version 1.5.19 is incompatible with the SLF4J version used in the slf4j1_logback profile, which will cause build or runtime failures. I've left a specific comment with a suggested fix.

I also recommend reviewing other logback dependencies in this pom.xml, as they appear to be outdated and potentially vulnerable as well:

• The slf4j2_logback profile uses logback version 1.5.16, which is vulnerable according to the PR description (affects versions up to 1.5.18). This should be updated to 1.5.19 or newer.
• The disabledLogging profile uses logback-classic:1.2.13 and logback-core:1.3.15. These are old, vulnerable, and also mismatched, which is a configuration error. They should be aligned to a single, patched version.

Addressing these other instances is important for comprehensive security hardening.

[gemini-code-assist]

Updating logback to version 1.5.19 in this profile introduces a critical compatibility issue. Logback version 1.5.x requires SLF4J 2.0.x, but the slf4j1_logback profile is configured to use slf4j-api:1.7.36. This mismatch will likely lead to LinkageError or other class loading issues at runtime.

To resolve this, you should use a logback version that is compatible with SLF4J 1.7.x. The 1.4.x series of logback is compatible. I suggest using the latest version in that series, 1.4.14, which also contains other recent security fixes.

If 1.5.19 is strictly required, the slf4j-api dependency in this profile must be upgraded to a 2.0.x version. In that case, I'd also recommend renaming the profile from slf4j1_logback to avoid future confusion.

Suggested change

	<slf4j1-logback.version>1.5.19</slf4j1-logback.version>
	<slf4j1-logback.version>1.4.14</slf4j1-logback.version>