Hi, While working on PR#2142[1] I noticed that we have an `a.o.l.l.core.parser` package that depends on Jackson.
Since Log4j itself never parses log events, I would propose to remove it from `log4j-core` and optionally move it somewhere else (Chainsaw or Flume?). My main concern is vulnerability exposure: * I would like to prevent CVEs like CVE-2019-17571[2] from being published against `log4j-core` in the future. Dealing with CVEs that say "code that we never use is vulnerable to..." bring a lot of useless PR/documentation work: we'll need to explain to users how to mitigate a vulnerability that is almost never exploitable and our users will also have to evaluate the exploitability of the CVE in their own applications, * in some not so far future we'll need to publish VEX records to comply with regulation. Every time Jackson will publish a deserialization vulnerability, we'll need to state that we are vulnerable. What do you think? Piotr [1] https://github.com/apache/logging-log4j2/pull/2142 [2] https://www.cvedetails.com/cve/CVE-2019-17571/