Today, we released maintenance releases for our Hibernate Validator 6.2 and 7.0 branches.
As of now, you are all aware of the Log4j 2 security issue called Log4Shell announced on Friday. The good news is that Hibernate Validator does NOT use Log4j 2 but uses JBoss Logging as its logging framework.
Why release these versions then? Log4j 2 is only a test dependency of Hibernate Validator (being a test dependency, Log4j 2 doesn’t come in your apps through Hibernate Validator so you don’t have to worry about this issue from the Hibernate Validator perspective), but we already got hit in the past by security scanners being not as fine grained as we would have liked so we preferred to release new versions proactively so that we are sure Hibernate Validator does not get wrongly reported as unsafe.
Getting 6.2.1.Final
To get the release with Maven, Gradle etc. use the GAV coordinates org.hibernate.validator:{hibernate-validator|hibernate-validator-cdi|hibernate-validator-annotation-processor}:6.2.1.Final. Note that the group id has changed from org.hibernate (Hibernate Validator 5 and earlier) to org.hibernate.validator (from Hibernate Validator 6 onwards).
Getting 7.0.2.Final
To get the release with Maven, Gradle etc. use the GAV coordinates org.hibernate.validator:{hibernate-validator|hibernate-validator-cdi|hibernate-validator-annotation-processor}:7.0.2.Final. Note that the group id has changed from org.hibernate (Hibernate Validator 5 and earlier) to org.hibernate.validator (from Hibernate Validator 6 onwards).
Feedback, issues, ideas?
To get in touch, use the usual channels:
-
hibernate-validator tag on Stack Overflow (usage questions)
-
User forum (usage questions, general feedback)
-
Issue tracker (bug reports, feature requests)
-
Mailing list (development-related discussions)
-
Jakarta Bean Validation development mailing list (discussions about the Jakarta Bean Validation specification)
