-
Notifications
You must be signed in to change notification settings - Fork 160
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2020-36518 - bump jackson from 2.11.2 to 2.13.3 #464
Conversation
Signed-off-by: Gustavo Tedesco <[email protected]>
Signed-off-by: Gustavo Tedesco <[email protected]>
…java into snyk-vulnerability
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@pierDipi Do you have any predictions for the acceptance of this PR? |
@gtedesc0 can you add the reason for this bump in the PR body? is the fix you're looking for available in a patch release of Jackson? |
The reason for this bump, correct vulnerability bellow |
Thanks! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Thanks!
@pierDipi Do you have a forecast to enter a version 2.3.1? |
As I wrote here #464 (comment), we need a 3.0.0 unless there is a fix in patch version of Jackson for 2.11 that we can use |
I will try to see if there are other major features or fixes to include in 3.0.0 and then I will cut a release |
fwiw, in my projects, I override Jackson's version with my own version [1] and [2] [1] https://github.com/knative-sandbox/eventing-kafka-broker/blob/e4782fbc237d7575a7bfbd05f6bc549e5dbcd09e/data-plane/pom.xml#L269-L279 you would need to make sure that everything still works as expected with the new Jackson's version in your system but that's another option to get the fix earlier. |
@pierDipi thank you so much! |
Bumps jackson from 2.11.2 to 2.13.3.
https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-core
Signed-off-by: Gustavo Tedesco [email protected]