Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade jackson to 2.13.2.20220324 #87

Closed
pmlopes opened this issue Mar 24, 2022 · 2 comments · Fixed by #89
Closed

Upgrade jackson to 2.13.2.20220324 #87

pmlopes opened this issue Mar 24, 2022 · 2 comments · Fixed by #89
Labels
bug
Milestone
4.3.0

Comments

@pmlopes
Copy link
Member

pmlopes commented Mar 24, 2022

See: GHSA-57j2-w4cx-62h2

Although jackson-databind isn't a dependency used by vert.x core modules, we should bump the version we use as it imports the official jackson bom which sets the default version for this dependency by projects that include it without locking the version.
@pmlopes pmlopes added the bug label Mar 24, 2022
@pmlopes
Copy link
Member Author

pmlopes commented Mar 24, 2022

See: FasterXML/jackson-databind#2816 (comment)

Confirmation that the issue doesn't affect the modules used directly by vert.x

@vietj vietj added this to the 4.3.0 milestone Mar 24, 2022
@pmlopes
Copy link
Member Author

pmlopes commented Mar 24, 2022

Just to clarify to our users, we do refer to jackson-databind from our pom.xml files, but as it can be checked, this reference is test scoped. We do include the dependency during tests, to assert that we still work as expected when databind is available.

@pmlopes pmlopes mentioned this issue Mar 26, 2022
Merged
@pmlopes pmlopes changed the title Upgrade jackson to 2.14 Upgrade jackson to 2.13.2.20220324 Mar 26, 2022
pmlopes added a commit that referenced this issue Mar 26, 2022
@pmlopes
Merge pull request #89 from /issues/87
8d198b3 
Bump jackson to avoid CVE
@pmlopes pmlopes mentioned this issue Mar 26, 2022
Closed
pmlopes added a commit that referenced this issue Mar 26, 2022
@pmlopes
Backporting #87
8fa2645 
Signed-off-by: Paulo Lopes <pmlopes@gmail.com>
@pmlopes pmlopes mentioned this issue Mar 26, 2022
Merged
pmlopes added a commit that referenced this issue Mar 26, 2022
@pmlopes
Merge pull request #91 from /issues/90
f721209 
Backporting #87
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Milestone
4.3.0
Development

Successfully merging a pull request may close this issue.

Bump jackson to avoid CVE vert-x3/vertx-dependencies
2 participants
@vietj @pmlopes