upgrade jackson to - 2.9.10 #1284
Conversation
(for some security fixes)
build.gradle
Outdated
| @@ -37,7 +37,7 @@ allprojects { | |||
| servoVersion = '0.12.21' | |||
| governatorVersion = '1.17.5' | |||
| archaiusVersion = '0.7.6' | |||
| jacksonVersion = '2.9.4' | |||
| jacksonVersion = '2.10.3' | |||
There was a problem hiding this comment.
Seems like 2.9.10 includes the same security fixes, I don't mind jumping further but would probably want it separately to make sure nothing breaks (it's 2 years worth of changes).
There was a problem hiding this comment.
Thanks for the fast reply!
I saw 2 vulnerabilities in 2.9.10:
GHSA-fmmc-742q-jg75
GHSA-mx7p-6679-8g3q
If you prefer to do it in steps, maybe we should upgrade to 2.9.10.1?
(Maybe there are more in later releases but these are the ones found in a quick search)
There was a problem hiding this comment.
Let's do it in 2 steps if you don't mind, the latest 2.9.x and then try out 2.10.x?
There was a problem hiding this comment.
2.9.10.3 seems like a safe bet?
There was a problem hiding this comment.
Sounds Good :)
I'll upgrade to 2.9.10.3 first.
Thanks! :)
(Security fixes)
RakefetEP
changed the title
|
I see that jackson-databind has 2.9.10.3 but jackson-core does not have it and there is only one variable for Jackson libraries. I will change to 2.9.10 for now. |
(Security fixes)
RakefetEP
changed the title
RakefetEP
changed the title
|
Thanks, @troshko111 ! Have a lovely day :) |
|
Thanks for the PR! I'll release this now. |
|
Great! Thanks a lot! |
|
Hi @troshko111 :) Regarding the upgrade to latest Jackson 2.10.3, are there any special steps I should do before creating the PR? Thanks again! |
|
Hey, I went over the changelog and don't really see anything there which could break compatibility. I think it'd be a good idea to compare the |
(for some security fixes)