New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[DS-3795] Update jackson-databind due to known vulnerabilities. #2032
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me, and it passes tests.
@@ -1512,7 +1512,7 @@ | |||
<dependency> | |||
<groupId>com.fasterxml.jackson.core</groupId> | |||
<artifactId>jackson-databind</artifactId> | |||
<version>${jackson.version}</version> | |||
<version>2.8.11.1</version> <!-- TODO sync. with jackson.version --> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Before merging, this TODO needs cleaning up (I'm assuming that's why this is still flagged as a WIP). Currently we seem to have two versions of jackson
(2.8.11 in jackson.version
and 2.8.11.1 here). It'd be nice to get this set in one place and inherited everywhere else.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, the TODO is for later, when it is possible to sync. them. There is no jackson-core or jackson-annotations 2.8.11.1, but jackson-databind 2.8.11 still has the bug.
It's WIP because I'm still looking into fixing some of the remaining Snyk complaints. Sorry, should have said so. If I have nothing to add today, I'll remove WIP.
Rebased on today's master. Locally, all automated tests still pass. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested legacy rest with these changes. Works as expected.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I also tested legacy rest with JSON and XML responses successfully. +1, let's merge!
https://jira.duraspace.org/browse/DS-3795