sbt 1.5.8 updates log4j 2 to 2.17.0, which fixes a denial of service vulnerability caused by infinite recursion (CVE-2021-45105) #6755 by @augi