Bump ch.qos.logback:logback-classic from 1.3.16 to 1.5.27

[dependabot]

Bumps ch.qos.logback:logback-classic from 1.3.16 to 1.5.27.

Release notes

Sourced from ch.qos.logback:logback-classic's releases.

Logback 1.5.27

2026-01-30 Release of logback version 1.5.27

• Updated license to Eclipse Public License version 2.0 from version 1.0, retaining the GPL 2.1 dual-license.

• Fixed missing MDC data transmitted by SocketAppender reported in issues/1010 by Lars Vogel.

• Removed all Receiver classes and components which were already disabled for several years.

• Refactored file scanning code for improved clarity.

• In SizeAndTimeBasedRollingPolicy modified totalSizeCap and maxFileSize comparison to taking into account file compression. This fixes issues/1007.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 3618eb01aad6672f9cd250dccf7546a69cbe982f associated with the tag v_1.5.27. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.26

2026-01-25 Release of logback version 1.5.26

• InsertFromJNDIModelHandler was accessing javax.naming package forcing the inclusion of the optional java.naming module. This problem was raised in issues/1003 by Marius Hanl who also provided the relevant PR.

• In applications using shadow/fat/shade jars, module or package information could be lost. Thus, in the absence of version information, logback-classic would warn about version mismatches. Logback components now ship with properties files containing version information that survive shadow/fat/shade jars. This issue was reporteed in issues/1002 by Christoph Gritschenberger.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 33deb54506bbfaf1ff151f26f3a5f86936011619 associated with the tag v_1.5.26. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.25

2026-01-17 Release of logback version 1.5.25

• When processing configuration files, logback-core will now only instantiate components compatible with the class expected by the encapsulating class. This fixes an ACE vulnerability recorded as CVE-2026-1225.

• In configuration files, referencing a single undeclared appender would cause all referenced appenders to be skipped. This issue was discovered in issues/997.

• Added VersionUtil class to logback-core. This utility class checks for version compatibility issues and alerts the user if need be.

• Added EpochConverter to output milliseconds/seconds since epoch. This enhancement was requested by Duncan Jauncey in issues/1000 who also provided the relevant implementation PR.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit f426e0002800cfb507f393fcacffe0761a425220 associated with the tag v_1.5.25. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.24

2026-01-06 Release of logback version 1.5.24

• Added ExpressionPropertyCondition a PropertyCondition that can evaluate boolean expressions similar to Java. See the relevant documentation for further details.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 62bc5fc245dd3a52f3dd45e232733f4cefb4806d associated with the tag v_1.5.24. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.23

2025-12-21 Release of logback version 1.5.23

• In response to issues/959 file name collisions are detected at configuration time by analyzing the configuration file and no longer at run time. This avoids the ConcurrentModificationException reported in the issue.

• ZIP and XZ compression now use a BufferedOutputStream when writing to the compressed file. This issue was reported in issues/988.

... (truncated)

Commits

• 3618eb0 increase timeout delay to 2000 millis
• db150c3 prepare release 1.5.27
• 0370b13 fix missing MDC transmission in SocketAppender. Fixes issues/1010
• 8100acd remove RemoteAppender*
• 2b67210 remove Receiver related classes
• d84b586 remove ReceiverModelHandler - project still builds indicating no active usage
• 44049ed remove support for receivers in SerializedModelConfigurator and JoranConfigur...
• 56085d8 fix test
• e7764f4 refactor file change scanning for clarity
• e56a12f bump assertj version
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

Test Results

2 tests   - 246   0 ✅  - 234   0s ⏱️ - 1m 44s
2 suites  -  30   0 💤  -  14 
2 files    -  30   2 ❌ +  2 

For more details on these failures, see this check.

Results for commit eb0a7f6. ± Comparison against base commit ec0bfab.

This pull request removes 248 and adds 2 tests. Note that renamed tests count towards both.

de.gesellix.docker.authentication.AuthConfigReaderTest ‑ read auth config for missing config file
de.gesellix.docker.authentication.AuthConfigReaderTest ‑ read auth config for official Docker index
de.gesellix.docker.authentication.AuthConfigReaderTest ‑ read auth config for quay.io
de.gesellix.docker.authentication.AuthConfigReaderTest ‑ read auth config for unknown registry hostname
de.gesellix.docker.authentication.AuthConfigReaderTest ‑ read authConfig (legacy format)
de.gesellix.docker.authentication.AuthConfigReaderTest ‑ read authConfig (new format)
de.gesellix.docker.authentication.AuthConfigReaderTest ‑ read default authConfig
de.gesellix.docker.authentication.AuthConfigReaderTest ‑ read default docker config file using credsStore
de.gesellix.docker.authentication.CredsStoreHelperIntegrationTest ‑ can get auth from desktop on Mac OS X and Windows
de.gesellix.docker.authentication.CredsStoreHelperIntegrationTest ‑ can get auth from osxkeychain on Mac OS X
…

engine_junit-jupiter ‑ initializationError
engine_spock ‑ initializationError