Open yeikel opened 1 year ago
Hello! Yes I'd welcome PR to fix this. Please understand that if the transitive dependency explicit version does not work with all the tests on the Prettier Apex side (because it looks like jersey
itself has some issue upgrading to the new version), then I won't be able to merge them.
Hello! Yes I'd welcome PR to fix this. Please understand that if the transitive dependency explicit version does not work with all the tests on the Prettier Apex side (because it looks like
jersey
itself has some issue upgrading to the new version), then I won't be able to merge them.
I submitted https://github.com/dangmai/apex-ast-serializer/pull/195
Please understand that if the transitive dependency explicit version does not work with all the tests on the Prettier Apex
That's fair. How can I test this?
Currently, the Jackson version bundled with jersey is vulnerable to Sonatype-2022-6438. See https://github.com/FasterXML/jackson-core/issues/861 (Jackson is a transitive dependency)
This is currently under discussion here https://github.com/eclipse-ee4j/jersey/issues/5283 but it is unclear when that will be resolved
Sadly, due to this vulnerability , we cannot use prettier-plugin-apex in our environment because this dependency is pulling Jackson
2.14.1
Would you be open to temporarily overwrite the version of Jackson?
We should be able to exclude it from jetty and define Jackson 2.15 explicitly
https://github.com/dangmai/apex-ast-serializer/blob/master/build.gradle#L117
Current dependency tree:
We can volunteer and send a pull request with that change if accepted