Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update jackson deps to the latest version #176

Merged
merged 2 commits into from
Mar 25, 2022
Merged

Update jackson deps to the latest version #176

merged 2 commits into from
Mar 25, 2022

Conversation

slunker
Copy link

@slunker slunker commented Mar 25, 2022

Update jackson-databind to 2.13.2.1 as it fixes CVE-2020-36518. For this version of jackson-databind it was necessary to use a different bom - see FasterXML/jackson-databind#3428

The jackson-databind issue describing the CVE is here: FasterXML/jackson-databind#2816

@emlun emlun merged commit 8374671 into Yubico:master Mar 25, 2022
@emlun
Copy link
Member

emlun commented Mar 25, 2022

Thanks!

@slunker
Copy link
Author

slunker commented Mar 25, 2022

no problem. Any idea when is this going to be released?

@emlun
Copy link
Member

emlun commented Mar 25, 2022

Likely next week when we put out a 1.12.3-RC2 with some deprecation notes for features being removed in the upcoming 2.0 release.

But note that the library states dependencies by version ranges, and this version bump is just the lower bound. Downstream projects can (and should) also add their own version constraints to account for vulnerabilities, and don't have to wait for their dependencies to do so (unless upstream dependencies have incompatible version constraints, of course, which is why we state them as ranges).

@travisspencer
Copy link
Contributor

travisspencer commented Mar 29, 2022

We upgraded before this, @emlun , as you say. The issue is that Jackson databind makes breaking changes between minors, we've heard it said. So, we were a bit leery to make that bump. We wanted to be sure that the version passed all of the project's tests and looks good from the maintainers' PoV. We also wanted to be good OSS users and contribute back, even if it was small.

@emlun
Copy link
Member

emlun commented Mar 31, 2022

@slunker This is now out in pre-release 1.12.3-RC2. Our usual procedure is to let RC releases sit for about 2 weeks before promoting them to a non-RC release.

@travisspencer I see, thank you for contributing! (I assume you are affiliated with @slunker?)

@travisspencer
Copy link
Contributor

We (@slunker , me and the rest of the Curity crew) are fixing a few other issues ATM, @emlun. Maybe we can do some testing before the RC is released. Can you switch us to this new version, @daniellindau, and see if you hit any problems?

@travisspencer
Copy link
Contributor

BTW, @daniellindau told me yesterday, @emlun , that we've switched to the RC2 build. We'll report in errors to the issue tracker if any arise.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

3 participants