Skip to content

[FLINK-40071][build] Bump jackson-bom to 2.21.4#28637

Draft
spuru9 wants to merge 1 commit into
apache:masterfrom
spuru9:fix/flink-40071-jackson-2.21.4
Draft

[FLINK-40071][build] Bump jackson-bom to 2.21.4#28637
spuru9 wants to merge 1 commit into
apache:masterfrom
spuru9:fix/flink-40071-jackson-2.21.4

Conversation

@spuru9

@spuru9 spuru9 commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

What is the purpose of the change

jackson-databind 2.21.3 is affected by several recently published CVEs (54512 through 54518). Bumping jackson-bom to 2.21.4 fixes all of them except 54515, which has no released fix in any jackson 2.x line yet (its announced fix versions 2.21.5/2.22.1 are unreleased, and 2.22.0 is also affected) — that one needs a follow-up once upstream ships.

Brief change log

  • jackson-bom.version 2.21.3 → 2.21.4 in the root pom
  • Updated the NOTICE files of the 11 modules bundling non-shaded jackson (jackson-annotations stays at 2.21, matching the bom)

Verifying this change

This change is a dependency version bump without code changes. All affected bundling modules build cleanly, and the bundled jackson-databind version inside the shaded jars (flink-sql-avro, flink-kubernetes, flink-python, flink-s3-fs-hadoop) was verified to be 2.21.4.

Does this pull request potentially affect one of the following parts:

  • Dependencies (does it add or upgrade a dependency): (yes — jackson 2.21.3 → 2.21.4, patch release)
  • The public API, i.e., is any changed class annotated with @Public(Evolving): (no)
  • The serializers: (no)
  • The runtime per-record code paths (performance sensitive): (no)
  • Anything that affects deployment or recovery: JobManager (and its components), Checkpointing, Kubernetes/Yarn, ZooKeeper: (no)
  • The S3 file system connector: (no)

Documentation

  • Does this pull request introduce a new feature? (no)
  • If yes, how is the feature documented? (not applicable)

Was generative AI tooling used to co-author this PR?
  • Yes: Claude Code

Generated-by: Claude Code (claude-fable-5)

jackson-databind 2.21.3 is affected by several recently published CVEs
(CVE-2026-54512 through 54518). 2.21.4 fixes all of them except
CVE-2026-54515, which has no released fix in any 2.x line yet. Update
the NOTICE files of the modules bundling non-shaded jackson.

Generated-by: Claude Code (claude-fable-5)
@flinkbot

flinkbot commented Jul 4, 2026

Copy link
Copy Markdown
Collaborator

CI report:

Bot commands The @flinkbot bot supports the following commands:
  • @flinkbot run azure re-run the last Azure build

@snuyanzin

Copy link
Copy Markdown
Contributor

jackson-databind 2.21.3 is affected by several recently published CVEs (54512 through 54518). Bumping jackson-bom to 2.21.4 fixes all of them except 54515, which has no released fix in any jackson 2.x line yet (its announced fix versions 2.21.5/2.22.1 are unreleased, and 2.22.0 is also affected) — that one needs a follow-up once upstream ships.

existence of CVE in 3rd party doesn't necessary mean Flink is impacted

if we bump dependency now it doesn't mean a new Flink release, which means nothing is changed for end user.

So the question: why we should update now rather than wait for full fix from jackson and update?

@spuru9

spuru9 commented Jul 4, 2026

Copy link
Copy Markdown
Contributor Author

Ok will move to draft, and add this to the JIRA. Will open with the latest version close to the release.

@spuru9 spuru9 marked this pull request as draft July 4, 2026 06:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants