[DS-3795] Update jackson-databind due to known vulnerabilities. #2032
Conversation
mwoodiupui
added
bug
work in progress
| @@ -1512,7 +1512,7 @@ | |||
| <dependency> | |||
| <groupId>com.fasterxml.jackson.core</groupId> | |||
| <artifactId>jackson-databind</artifactId> | |||
| <version>${jackson.version}</version> | |||
| <version>2.8.11.1</version> <!-- TODO sync. with jackson.version --> | |||
There was a problem hiding this comment.
Before merging, this TODO needs cleaning up (I'm assuming that's why this is still flagged as a WIP). Currently we seem to have two versions of jackson (2.8.11 in jackson.version and 2.8.11.1 here). It'd be nice to get this set in one place and inherited everywhere else.
There was a problem hiding this comment.
No, the TODO is for later, when it is possible to sync. them. There is no jackson-core or jackson-annotations 2.8.11.1, but jackson-databind 2.8.11 still has the bug.
It's WIP because I'm still looking into fixing some of the remaining Snyk complaints. Sorry, should have said so. If I have nothing to add today, I'll remove WIP.
mwoodiupui
removed
the
work in progress
|
Rebased on today's master. Locally, all automated tests still pass. |
https://jira.duraspace.org/browse/DS-3795