All, We upgraded to log4j 2.16.0 in the 1.x branch and upgraded a few other dependencies that ossindex flagged as vulnerable. Given the breaking changes in migrating from log4j to log4j2, I've gone with the notion that the next 1.x release should be 1.28, not 1.27.1. Once Subhajit has a chance to review the log4j2 mods around monitoring in tika server, should I roll a release candidate for 1.28?
Best,
Tim
