After investigation, we’ve concluded that we are not affected by log4shell.

Nevertheless we investigated any exposure we might have.

We don’t use log4j at all. However we discovered that a third-party dependency does.

We’ve configured our build project to ensure that the fixed version of log4j (2.16) is used by that third-party dependency.

We’ve verified this fix with multiple sets of eyes.

We built and deployed this updated version as a precaution.

Some other measures we use to protect Feature Upvote:

None of these measures are sufficient by themselves. Together, however, when combined with the rest of our security-conscious processes, we aim to keep Feature Upvote safe from known and unknown security vulnerabilities.