Bump org.apache.logging.log4j:log4j-bom from 2.24.3 to 2.25.4

[dependabot]

Bumps org.apache.logging.log4j:log4j-bom from 2.24.3 to 2.25.4.

Release notes

Sourced from org.apache.logging.log4j:log4j-bom's releases.

2.25.4

This patch release delivers fixes for configuration inconsistencies and formatting issues across several layouts.

• Restores alignment between documented and actual configuration attributes.
• Fixes formatting and sanitization issues in XML and RFC5424 layouts.
• Improves handling of invalid characters and non-standard values.

The authoritative list of recognized configuration attributes is available in the PluginReference.

Fixed

• Don't issue warnings if extra argument in parameterized logging is null. (#3975, #4014)
• Restore support for documented Rfc5424Layout parameter names. (#4022, #4074)
• Take Throwable#toString() into account while rendering stack traces in Pattern Layout. (#3623, #4033)
• Added debug level logs for successful resource loading in Loader class. (#4058, #4060)
• Align SslConfiguration factory method usage with Log4j 2.12+ API. The verifyHostname attribute is now correctly recognized. (#4061, #4075)
• Fix sanitization of structured data parameter names in RFC5424 layout. (#4073)
• Replace invalid characters in XmlLayout output with the Unicode replacement character (U+FFFD). (#4077)
• Replace invalid characters in Log4j1XmlLayout output with the Unicode replacement character (U+FFFD). (#4078)
• Replace invalid characters in MapMessage.asXml() output with the Unicode replacement character (U+FFFD). (#4079)
• Write non-finite floating-point numbers as strings in JsonWriter. (#4080)

2.25.3

This patch release addresses issues detailed in the changelog below. In particular, it includes an important fix for the host name verification in SSL/TLS configuration. This is used by Socket Appender.

Changed

• Optimize DefaultThreadContextMap.getCopy() performance by avoiding megamorphic calls in HashMap constructor (#3935, #3939)

Fixed

• Fix GraalVM metadata for nested classes to use binary names instead of canonical names (#3871, #3996)
• Fix failures caused by null SslConfiguration (#3947, #3953)
• Fix incorrect handling of the host name verification in SSL/TLS configuration, which is used by Socket Appender when SSL/TLS is enabled (#4002)

Removed

• Remove the com.github.spotbugs:spotbugs-annotations dependency (#3984, #3985)

2.25.2

This patch release addresses certain minor issues detailed in the changelog.

Fixed

• Fix potential memory leak involving LogBuilder in Log4j API to Logback bridge (#3819, #3824)
• Prevent unnecessary warnings in AbstractDriverManagerConnectionSource (#3828, #3831)
• Fix missing newlines in default logging configuration for log4j-core (#3835, #3851)
• Fix missing default Target value in Console Appender (#3852)
• Discard the sub-second part while obtaining the initial time (i.e., creation time) of a file in RollingFileManager (#3068, #3872)
• Fix Pattern Layout exception stack trace converters to no longer prepend newlines based on context (#3873, #3919)

... (truncated)

Commits

• 0628e53 Update the project.build.outputTimestamp property
• a2590b4 Add debug logs for successful resource loading in Loader (#4060)
• b788154 Changelog for additional fixes
• 59bd6b3 Avoid referring to PluginBuilderAttribute.class in PluginProcessor (#4041)
• 79568db Take Throwable#toString() into account while rendering stack traces in Patt...
• 0881bc5 Add versioning and support policy information (#3341)
• 0543b52 docs: recommend use of appropriately scoped trust roots (#4006)
• 7a1e0ad Fix warning when last argument is null (#4014)
• 5286148 Remove Log4j Jakarta EE link from navigation file (#4025)
• adcda32 Retire Log4j Scala (#4030)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)