-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
upgrade jackson to - 2.9.10 #1284
Conversation
(for some security fixes)
build.gradle
Outdated
@@ -37,7 +37,7 @@ allprojects { | |||
servoVersion = '0.12.21' | |||
governatorVersion = '1.17.5' | |||
archaiusVersion = '0.7.6' | |||
jacksonVersion = '2.9.4' | |||
jacksonVersion = '2.10.3' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems like 2.9.10
includes the same security fixes, I don't mind jumping further but would probably want it separately to make sure nothing breaks (it's 2 years worth of changes).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the fast reply!
I saw 2 vulnerabilities in 2.9.10:
GHSA-fmmc-742q-jg75
GHSA-mx7p-6679-8g3q
If you prefer to do it in steps, maybe we should upgrade to 2.9.10.1?
(Maybe there are more in later releases but these are the ones found in a quick search)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's do it in 2 steps if you don't mind, the latest 2.9.x
and then try out 2.10.x
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
2.9.10.3
seems like a safe bet?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds Good :)
I'll upgrade to 2.9.10.3 first.
Thanks! :)
(Security fixes)
I see that jackson-databind has 2.9.10.3 but jackson-core does not have it and there is only one variable for Jackson libraries. I will change to 2.9.10 for now. |
(Security fixes)
Thanks, @troshko111 ! Have a lovely day :) |
Thanks for the PR! I'll release this now. |
Great! Thanks a lot! |
Hi @troshko111 :) Regarding the upgrade to latest Jackson 2.10.3, are there any special steps I should do before creating the PR? Thanks again! |
Hey, I went over the changelog and don't really see anything there which could break compatibility. I think it'd be a good idea to compare the |
(for some security fixes)