Lagom 1.6.7 released!

Dear all,

A new Lagom version has been release (v1.6.7).

As previously explained in the Lightbend blog post, Lagom doesn’t use log4j 2 directly, but it can be included as an opt-in.

With this release, the log4j version that can be included in a Lagom application is upgraded to version 2.15.0, the version that addresses the CVE-2021-44228 vulnerability.

Moreover, we discover that the Kafka broker library used in dev-mode was including an old version of log4j (v1.2.17) and that for no reason. This was never a real concern because this library is never deployed on a running Lagom application, but to avoid confusion and false alarms this obsolete dependency has been removed.

More details can be found on GitHub

1 Like

Thank you @octonato