The package com.google.code.gson:gson before 2.8.9 is vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to denial of service attacks.
Release Notes
google/gson
### [`v2.8.9`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-289)
- Make OSGi bundle's dependency on `sun.misc` optional ([https://github.com/google/gson/pull/1993](https://togithub.com/google/gson/pull/1993)).
- Deprecate `Gson.excluder()` exposing internal `Excluder` class ([https://github.com/google/gson/pull/1986](https://togithub.com/google/gson/pull/1986)).
- Prevent Java deserialization of internal classes ([https://github.com/google/gson/pull/1991](https://togithub.com/google/gson/pull/1991)).
- Improve number strategy implementation ([https://github.com/google/gson/pull/1987](https://togithub.com/google/gson/pull/1987)).
- Fix LongSerializationPolicy null handling being inconsistent with Gson ([https://github.com/google/gson/pull/1990](https://togithub.com/google/gson/pull/1990)).
- Support arbitrary Number implementation for Object and Number deserialization ([https://github.com/google/gson/pull/1290](https://togithub.com/google/gson/pull/1290)).
- Bump proguard-maven-plugin from 2.4.0 to 2.5.1 ([https://github.com/google/gson/pull/1980](https://togithub.com/google/gson/pull/1980)).
- Don't exclude static local classes ([https://github.com/google/gson/pull/1969](https://togithub.com/google/gson/pull/1969)).
- Fix `RuntimeTypeAdapterFactory` depending on internal `Streams` class ([https://github.com/google/gson/pull/1959](https://togithub.com/google/gson/pull/1959)).
- Improve Maven build ([https://github.com/google/gson/pull/1964](https://togithub.com/google/gson/pull/1964)).
- Make dependency on `java.sql` optional ([https://github.com/google/gson/pull/1707](https://togithub.com/google/gson/pull/1707)).
### [`v2.8.8`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-288)
- Fixed issue with recursive types ([https://github.com/google/gson/issues/1390](https://togithub.com/google/gson/issues/1390)).
- Better behaviour with Java 9+ and `Unsafe` if there is a security manager ([https://github.com/google/gson/pull/1712](https://togithub.com/google/gson/pull/1712)).
- `EnumTypeAdapter` now works better when ProGuard has obfuscated enum fields ([https://github.com/google/gson/pull/1495](https://togithub.com/google/gson/pull/1495)).
### [`v2.8.7`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-287)
- Fixed `ISO8601UtilsTest` failing on systems with UTC+X.
- Improved javadoc for `JsonStreamParser`.
- Updated proguard.cfg ([https://github.com/google/gson/pull/1693](https://togithub.com/google/gson/pull/1693)).
- Fixed `IllegalStateException` in `JsonTreeWriter` ([https://github.com/google/gson/issues/1592](https://togithub.com/google/gson/issues/1592)).
- Added `JsonArray.isEmpty()` ([https://github.com/google/gson/pull/1640](https://togithub.com/google/gson/pull/1640)).
- Added new test cases ([https://github.com/google/gson/pull/1638](https://togithub.com/google/gson/pull/1638)).
- Fixed OSGi metadata generation to work on JavaSE < 9 ([https://github.com/google/gson/pull/1603](https://togithub.com/google/gson/pull/1603)).
### [`v2.8.6`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-286)
*2019-10-04* [GitHub Diff](https://togithub.com/google/gson/compare/gson-parent-2.8.5...gson-parent-2.8.6)
- Added static methods `JsonParser.parseString` and `JsonParser.parseReader` and deprecated instance method `JsonParser.parse`
- Java 9 module-info support
### [`v2.8.5`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-285)
*2018-05-21* [GitHub Diff](https://togithub.com/google/gson/compare/gson-parent-2.8.4...gson-parent-2.8.5)
- Print Gson version while throwing AssertionError and IllegalArgumentException
- Moved `utils.VersionUtils` class to `internal.JavaVersion`. This is a potential backward incompatible change from 2.8.4
- Fixed issue [https://github.com/google/gson/issues/1310](https://togithub.com/google/gson/issues/1310) by supporting Debian Java 9
### [`v2.8.4`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-284)
*2018-05-01* [GitHub Diff](https://togithub.com/google/gson/compare/gson-parent-2.8.3...gson-parent-2.8.4)
- Added a new FieldNamingPolicy, `LOWER_CASE_WITH_DOTS` that mapps JSON name `someFieldName` to `some.field.name`
- Fixed issue [https://github.com/google/gson/issues/1305](https://togithub.com/google/gson/issues/1305) by removing compile/runtime dependency on `sun.misc.Unsafe`
### [`v2.8.3`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-283)
*2018-04-27* [GitHub Diff](https://togithub.com/google/gson/compare/gson-parent-2.8.2...gson-parent-2.8.3)
- Added a new API, `GsonBuilder.newBuilder()` that clones the current builder
- Preserving DateFormatter behavior on JDK 9
- Numerous other bugfixes
### [`v2.8.2`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-282)
*2017-09-19* [GitHub Diff](https://togithub.com/google/gson/compare/gson-parent-2.8.1...gson-parent-2.8.2)
- Introduced a new API, `JsonElement.deepCopy()`
- Numerous other bugfixes
### [`v2.8.1`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-281)
*2017-05-30* [GitHub Diff](https://togithub.com/google/gson/compare/gson-parent-2.8.0...gson-parent-2.8.1)
- New: `JsonObject.keySet()`
- `@JsonAdapter` annotation can now use `JsonSerializer` and `JsonDeserializer` as well.
### [`v2.7`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-27)
*2016-06-14* [GitHub Diff](https://togithub.com/google/gson/compare/gson-parent-2.6.2...gson-parent-2.7)
- Added support for JsonSerializer/JsonDeserializer in [@JsonAdapter](https://togithub.com/JsonAdapter) annotation
- Exposing Gson properties excluder(), fieldNamingStrategy(), serializeNulls(), htmlSafe()
- Added JsonObject.size() method
- Added JsonWriter.value(Boolean value) method
- Using ArrayDeque, ConcurrentHashMap, and other JDK 1.6 features
- Better error reporting
- Plenty of other bug fixes
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
2.6.2->2.8.9GitHub Vulnerability Alerts
CVE-2022-25647
The package
com.google.code.gson:gsonbefore 2.8.9 is vulnerable to Deserialization of Untrusted Data via thewriteReplace()method in internal classes, which may lead to denial of service attacks.Release Notes
google/gson
### [`v2.8.9`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-289) - Make OSGi bundle's dependency on `sun.misc` optional ([https://github.com/google/gson/pull/1993](https://togithub.com/google/gson/pull/1993)). - Deprecate `Gson.excluder()` exposing internal `Excluder` class ([https://github.com/google/gson/pull/1986](https://togithub.com/google/gson/pull/1986)). - Prevent Java deserialization of internal classes ([https://github.com/google/gson/pull/1991](https://togithub.com/google/gson/pull/1991)). - Improve number strategy implementation ([https://github.com/google/gson/pull/1987](https://togithub.com/google/gson/pull/1987)). - Fix LongSerializationPolicy null handling being inconsistent with Gson ([https://github.com/google/gson/pull/1990](https://togithub.com/google/gson/pull/1990)). - Support arbitrary Number implementation for Object and Number deserialization ([https://github.com/google/gson/pull/1290](https://togithub.com/google/gson/pull/1290)). - Bump proguard-maven-plugin from 2.4.0 to 2.5.1 ([https://github.com/google/gson/pull/1980](https://togithub.com/google/gson/pull/1980)). - Don't exclude static local classes ([https://github.com/google/gson/pull/1969](https://togithub.com/google/gson/pull/1969)). - Fix `RuntimeTypeAdapterFactory` depending on internal `Streams` class ([https://github.com/google/gson/pull/1959](https://togithub.com/google/gson/pull/1959)). - Improve Maven build ([https://github.com/google/gson/pull/1964](https://togithub.com/google/gson/pull/1964)). - Make dependency on `java.sql` optional ([https://github.com/google/gson/pull/1707](https://togithub.com/google/gson/pull/1707)). ### [`v2.8.8`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-288) - Fixed issue with recursive types ([https://github.com/google/gson/issues/1390](https://togithub.com/google/gson/issues/1390)). - Better behaviour with Java 9+ and `Unsafe` if there is a security manager ([https://github.com/google/gson/pull/1712](https://togithub.com/google/gson/pull/1712)). - `EnumTypeAdapter` now works better when ProGuard has obfuscated enum fields ([https://github.com/google/gson/pull/1495](https://togithub.com/google/gson/pull/1495)). ### [`v2.8.7`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-287) - Fixed `ISO8601UtilsTest` failing on systems with UTC+X. - Improved javadoc for `JsonStreamParser`. - Updated proguard.cfg ([https://github.com/google/gson/pull/1693](https://togithub.com/google/gson/pull/1693)). - Fixed `IllegalStateException` in `JsonTreeWriter` ([https://github.com/google/gson/issues/1592](https://togithub.com/google/gson/issues/1592)). - Added `JsonArray.isEmpty()` ([https://github.com/google/gson/pull/1640](https://togithub.com/google/gson/pull/1640)). - Added new test cases ([https://github.com/google/gson/pull/1638](https://togithub.com/google/gson/pull/1638)). - Fixed OSGi metadata generation to work on JavaSE < 9 ([https://github.com/google/gson/pull/1603](https://togithub.com/google/gson/pull/1603)). ### [`v2.8.6`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-286) *2019-10-04* [GitHub Diff](https://togithub.com/google/gson/compare/gson-parent-2.8.5...gson-parent-2.8.6) - Added static methods `JsonParser.parseString` and `JsonParser.parseReader` and deprecated instance method `JsonParser.parse` - Java 9 module-info support ### [`v2.8.5`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-285) *2018-05-21* [GitHub Diff](https://togithub.com/google/gson/compare/gson-parent-2.8.4...gson-parent-2.8.5) - Print Gson version while throwing AssertionError and IllegalArgumentException - Moved `utils.VersionUtils` class to `internal.JavaVersion`. This is a potential backward incompatible change from 2.8.4 - Fixed issue [https://github.com/google/gson/issues/1310](https://togithub.com/google/gson/issues/1310) by supporting Debian Java 9 ### [`v2.8.4`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-284) *2018-05-01* [GitHub Diff](https://togithub.com/google/gson/compare/gson-parent-2.8.3...gson-parent-2.8.4) - Added a new FieldNamingPolicy, `LOWER_CASE_WITH_DOTS` that mapps JSON name `someFieldName` to `some.field.name` - Fixed issue [https://github.com/google/gson/issues/1305](https://togithub.com/google/gson/issues/1305) by removing compile/runtime dependency on `sun.misc.Unsafe` ### [`v2.8.3`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-283) *2018-04-27* [GitHub Diff](https://togithub.com/google/gson/compare/gson-parent-2.8.2...gson-parent-2.8.3) - Added a new API, `GsonBuilder.newBuilder()` that clones the current builder - Preserving DateFormatter behavior on JDK 9 - Numerous other bugfixes ### [`v2.8.2`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-282) *2017-09-19* [GitHub Diff](https://togithub.com/google/gson/compare/gson-parent-2.8.1...gson-parent-2.8.2) - Introduced a new API, `JsonElement.deepCopy()` - Numerous other bugfixes ### [`v2.8.1`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-281) *2017-05-30* [GitHub Diff](https://togithub.com/google/gson/compare/gson-parent-2.8.0...gson-parent-2.8.1) - New: `JsonObject.keySet()` - `@JsonAdapter` annotation can now use `JsonSerializer` and `JsonDeserializer` as well. ### [`v2.7`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-27) *2016-06-14* [GitHub Diff](https://togithub.com/google/gson/compare/gson-parent-2.6.2...gson-parent-2.7) - Added support for JsonSerializer/JsonDeserializer in [@JsonAdapter](https://togithub.com/JsonAdapter) annotation - Exposing Gson properties excluder(), fieldNamingStrategy(), serializeNulls(), htmlSafe() - Added JsonObject.size() method - Added JsonWriter.value(Boolean value) method - Using ArrayDeque, ConcurrentHashMap, and other JDK 1.6 features - Better error reporting - Plenty of other bug fixesConfiguration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.