Skip to content

Bump Jackson from 2.19.2 to 2.21.2 to fix GHSA-72hv-8253-57qq#178

Merged
jorgeazevedo merged 2 commits into
mainfrom
ja-fix-jackson-dos-vulnerability
Apr 9, 2026
Merged

Bump Jackson from 2.19.2 to 2.21.2 to fix GHSA-72hv-8253-57qq#178
jorgeazevedo merged 2 commits into
mainfrom
ja-fix-jackson-dos-vulnerability

Conversation

@jorgeazevedo

@jorgeazevedo jorgeazevedo commented Apr 8, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

What does this change?

Bumps Jackson dependencies from 2.19.2 to 2.21.2 to fix GHSA-72hv-8253-57qq

@jorgeazevedo jorgeazevedo added the maintenance Departmental tracking: maintenance work, not a fix or a feature label Apr 8, 2026
@jorgeazevedo

jorgeazevedo commented Apr 8, 2026

Copy link
Copy Markdown
Contributor Author

@rtyley am I right in thinking that these tests are currently broken? I tried running it against main (on a different branch, to avoid making main red) and it's also failed after it exceeds the max amount of retries/time https://github.com/guardian/prout/actions/runs/24146534954/job/70461782957

I wonder if the same issue you were trying to fix here #146

rtyley added a commit that referenced this pull request Apr 8, 2026
@rtyley
Disable all the flakey integration tests
be9f120 
As detailed in this PR:

* rtyley/play-git-hub#18

...there are multiple issues affecting the flakiness of Prout's integration tests,
and fixing them all involved some pretty big changes to `play-git-hub`, released with
v10 of that library:

* https://github.com/rtyley/play-git-hub/releases/tag/v10.0.0

Unfortunately updating Prout to adapt to that new version of `play-git-hub` is a big job,
especially the migration from `Future` to `IO` - the PR to do that isn't yet completed:

* #146

...in the meantime, Prout's integration tests are failing frequently:

* #178 (comment)

This change disables Prout's integration tests - we'll just have
to double-check after deploy that Prout is still working!
@rtyley rtyley mentioned this pull request Apr 8, 2026
Merged
@rtyley

rtyley commented Apr 8, 2026

Copy link
Copy Markdown
Member

@rtyley am I right in thinking that these tests are currently broken?

Gah, yes, unfortunately so. I've opened this PR to disable those flakey tests:

@jorgeazevedo jorgeazevedo marked this pull request as ready for review April 9, 2026 09:25
@jorgeazevedo

jorgeazevedo commented Apr 9, 2026

Copy link
Copy Markdown
Contributor Author

Thanks @rtyley ! I'll rebase when you merge #179

@rtyley

rtyley commented Apr 9, 2026

Copy link
Copy Markdown
Member

Thanks @rtyley ! I'll rebase when you merge #179

#179 merged, should be good to rebase now!

@jorgeazevedo jorgeazevedo force-pushed the ja-fix-jackson-dos-vulnerability branch from a28b76e to 7f34160 Compare April 9, 2026 10:12
@jorgeazevedo jorgeazevedo requested a review from rtyley April 9, 2026 10:13
@jorgeazevedo jorgeazevedo marked this pull request as draft April 9, 2026 10:35
@jorgeazevedo jorgeazevedo marked this pull request as ready for review April 9, 2026 13:14
@jorgeazevedo jorgeazevedo merged commit 895c4d2 into main Apr 9, 2026
3 checks passed
@jorgeazevedo jorgeazevedo deleted the ja-fix-jackson-dos-vulnerability branch April 9, 2026 13:14
@gu-prout

gu-prout Bot commented Apr 9, 2026

Copy link
Copy Markdown

Seen on PROD (merged by @jorgeazevedo 9 hours, 9 minutes and 31 seconds ago) Please check your changes!

Sentry Release: prout

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rtyley rtyley rtyley approved these changes

Assignees

No one assigned

Labels

maintenance Departmental tracking: maintenance work, not a fix or a feature Seen-on-PROD

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jorgeazevedo @rtyley