From 11ff184b464aeb04acff533dc1b1da45eabd5bc0 Mon Sep 17 00:00:00 2001
From: Scala Steward <scala_steward@virtuslab.com>
Date: Sun, 13 Jul 2025 13:57:27 +0000
Subject: [PATCH] Update log4j-core to 2.25.1

---
 lock.sbt                   | 2 +-
 project/Dependencies.scala | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/lock.sbt b/lock.sbt
index a19d076aa..f77a5faa7 100644
--- a/lock.sbt
+++ b/lock.sbt
@@ -122,7 +122,7 @@ Compile / dependencyOverrides ++= {
       "org.apache.httpcomponents" % "httpcore" % "4.4.5",
       "org.apache.httpcomponents" % "httpcore-nio" % "4.4.5",
       "org.apache.logging.log4j" % "log4j-api" % "2.17.2",
-      "org.apache.logging.log4j" % "log4j-core" % "2.17.2",
+      "org.apache.logging.log4j" % "log4j-core" % "2.25.1",
       "org.apache.lucene" % "lucene-analyzers-common" % "7.7.3",
       "org.apache.lucene" % "lucene-backward-codecs" % "7.7.3",
       "org.apache.lucene" % "lucene-core" % "7.7.3",
diff --git a/project/Dependencies.scala b/project/Dependencies.scala
index 7e630835b..e83c33d43 100644
--- a/project/Dependencies.scala
+++ b/project/Dependencies.scala
@@ -155,7 +155,7 @@ object Dependencies {
     // and there's (as of 2025-07) nothing interesting in newer versions?
     // (Versions <= 2.17.0 are vulnerable.)
     //  log4jApi  = "org.apache.logging.log4j" % "log4j-api" % "..."   // not needed
-    val log4jCore = "org.apache.logging.log4j" % "log4j-core" % "2.17.2"  // needed
+    val log4jCore = "org.apache.logging.log4j" % "log4j-core" % "2.25.1"  // needed
 
 
     // ----- Metrics, tracing