Closed stummb closed 1 week ago
It appears that only JsonFormat.CONTENT_TYPE is used here and therefore doesn't pertain to the CVE (custom deserialization methods). Otherwise I do think the correct place for this is requesting cloudevents java sdk to release a newer version.
https://github.com/GoogleCloudPlatform/functions-framework-java/pull/274 - cloudevents opted to roll this into the 3.0 release, so we have to bump the cloudevents-sdk version we require, too.
jackson-json is included transitively via cloudevents-json-jackson. The included version is vulnerable (CVE-2022-42004).
The version is updated there (https://github.com/cloudevents/sdk-java/issues/588), but needs to be released. As soon as this is done, it can be updated here.
Is it advisable to use dependency overrides until then?