Blaze not vulnerable to CVE-2021-44228 (log4j)

[alexanderkiel]

Blaze isn't vulnerable to CVE-2021-44228 because it doesn't use or depend on log4j.

Although Blaze is written in Clojure, it still runs on the JVM and uses many libraries from the Java ecosystem. The primary logging library Blaze uses is timbre, a pure Clojure logging library. The Java libraries, Blaze uses, all use the slf4j logging api. That libraries are org.apache.kafka/kafka-clients:3.0.0 and com.datastax.oss/java-driver-core:4.13.0. However the logging of that libraries is disabled by depending on org.slf4j/slf4j-nop at top-level.