Thanks for the update. We’re prioritising the assets which potentially have log4j on their classpath in production. The KCL only includes log4j as a test depedency so we haven’t bumped that yet. We will update to the latest KCL once we’ve iterated through the other dependencies/assets we feel are more pressing to update.
Please see the advisory for more information on this: Advisory: Impact of Log4j 2 CVE-2021-44228 on Snowplow components - #6 by stevecs