Bump ch.qos.logback:logback-classic from 1.3.16 to 1.5.26

[dependabot]

Bumps ch.qos.logback:logback-classic from 1.3.16 to 1.5.26.

Release notes

Sourced from ch.qos.logback:logback-classic's releases.

Logback 1.5.26

2026-01-25 Release of logback version 1.5.26

• InsertFromJNDIModelHandler was accessing javax.naming package forcing the inclusion of the optional java.naming module. This problem was raised in issues/1003 by Marius Hanl who also provided the relevant PR.

• In applications using shadow/fat/shade jars, module or package information could be lost. Thus, in the absence of version information, logback-classic would warn about version mismatches. Logback components now ship with properties files containing version information that survive shadow/fat/shade jars. This issue was reporteed in issues/1002 by Christoph Gritschenberger.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 33deb54506bbfaf1ff151f26f3a5f86936011619 associated with the tag v_1.5.26. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.25

2026-01-17 Release of logback version 1.5.25

• When processing configuration files, logback-core will now only instantiate components compatible with the class expected by the encapsulating class. This fixes an ACE vulnerability recorded as CVE-2026-1225.

• In configuration files, referencing a single undeclared appender would cause all referenced appenders to be skipped. This issue was discovered in issues/997.

• Added VersionUtil class to logback-core. This utility class checks for version compatibility issues and alerts the user if need be.

• Added EpochConverter to output milliseconds/seconds since epoch. This enhancement was requested by Duncan Jauncey in issues/1000 who also provided the relevant implementation PR.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit f426e0002800cfb507f393fcacffe0761a425220 associated with the tag v_1.5.25. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.24

2026-01-06 Release of logback version 1.5.24

• Added ExpressionPropertyCondition a PropertyCondition that can evaluate boolean expressions similar to Java. See the relevant documentation for further details.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 62bc5fc245dd3a52f3dd45e232733f4cefb4806d associated with the tag v_1.5.24. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.23

2025-12-21 Release of logback version 1.5.23

• In response to issues/959 file name collisions are detected at configuration time by analyzing the configuration file and no longer at run time. This avoids the ConcurrentModificationException reported in the issue.

• ZIP and XZ compression now use a BufferedOutputStream when writing to the compressed file. This issue was reported in issues/988.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 0bcc3feb54a6d99caac70969ee5f8334aad1fbaf associated with the tag v_1.5.23. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.22

2025-12-11 Release of logback version 1.5.22

• In order to prevent involuntary information leakage, Logback will no longer output the value of a substituted variable, if the variable name contains any of the case-insensitive strings "password", "secret" or "confidential". This problem was reported by Chintan Rohila in issues/986.

• Logback now takes the overridden toString() method of Throwable subclasses into account when printing stack traces. This issue was reported in LOGBACK-543 by Alvin Chee, with a fix provided in PR 404 by Brett Kail.

• Instead of limit-counting guard, Logback now uses a tumbling-window guard to rate limit internal error messages.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 572379aabd2f672b49593e4020696c624541e5b0 associated with the tag v_1.5.22. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.21

... (truncated)

Commits

• 33deb54 prepare release 1.5.26
• d38a3e2 refactoring based on usage in logback-access
• 4368333 move VersionUtil.getCoreVersionBySelfDeclaredProperties to CoreVersionUtil
• 8bd5660 modify VersionCheckTest to use logback-core 1.5.25
• 7a8f0b6 version information is self declared by modules.
• 00d272f Do not use javax.naming namespace in the catch block, so that Logback can be ...
• 420d67c mention country only, add missing 2016-03-29
• 033aba4 fix javadoc errors
• 6d52744 start work on 1.5.26-SNAPSHOT
• f426e00 prepare release of 1.5.25
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

Test Results

 2 files  ± 0   2 suites  ±0   0s ⏱️ ±0s
18 tests  - 19  17 ✅  - 20  0 💤 ±0   1 ❌ + 1 
30 runs   -  8  17 ✅  - 21  0 💤 ±0  13 ❌ +13 

For more details on these failures, see this check.

Results for commit 191d7b0. ± Comparison against base commit 7f2288c.

This pull request removes 20 and adds 1 tests. Note that renamed tests count towards both.

de.gesellix.docker.compose.ComposeFileReaderTest ‑ config external
de.gesellix.docker.compose.ComposeFileReaderTest ‑ config file
de.gesellix.docker.compose.ComposeFileReaderTest ‑ config short format
de.gesellix.docker.compose.ComposeFileReaderTest ‑ should have 3 config
de.gesellix.docker.compose.ComposeFileReaderTest ‑ should interpolate environment variables
de.gesellix.docker.compose.ComposeFileReaderTest ‑ should load a config based on a 3.1 schema
de.gesellix.docker.compose.ComposeFileReaderTest ‑ should load a config with attachable networks
de.gesellix.docker.compose.ComposeFileReaderTest ‑ should load all top level attributes
de.gesellix.docker.compose.ComposeFileReaderTest ‑ should load environments as dict
de.gesellix.docker.compose.ComposeFileReaderTest ‑ should load environments as list
…

de.gesellix.docker.compose.ComposeFileReaderTest ‑ initializationError