Closed marcyrasta closed 1 year ago
eiiches
commented
1 year ago Thanks for the heads-up. I'll release a new version this week.
However, note that jackson-jq itself is not affected by these vulnerabilities because it doesn't use the UNWRAP_SINGLE_VALUE_ARRAYS feature.
marcyrasta
commented
1 year ago Thanks a lot, @eiiches
I have just read that jackson-jq-cli is not production ready .
is it due to the command line options that may change without notifications? or is it not reliable?
marcyrasta
commented
1 year ago @eiiches
The jackson-jq-cli seems to work fine !!!
So maybe it was flagged as not production-ready just because there are no notifications in case of options change.
I look forward to receiving your reply and thanks again for the incoming version with a recent jackson-databind
eiiches
commented
1 year ago @marcyrasta
Yes, it should work fine. It's just we don't expect users to run jackson-jq-cli on production servers or in any critical part of production services. It is provided only to help developers write, test and debug their jq scripts on their machines. And yes, the command line options may change without any deprecation phase or prior notice.
Hope this clarifies things for you :)
eiiches
commented
1 year ago marcyrasta
commented
1 year ago The new version is not yet available in the Maven repository
eiiches
commented
1 year ago I think it just takes some time for a new release to become visible there. It's already available on the Central, so you should be able to download the release directly from this link or using the following Maven dependency tag:
<dependency>
<groupId>net.thisptr</groupId>
<artifactId>jackson-jq</artifactId>
<version>1.0.0-preview.20230409</version>
</dependency>
Hello The actual jackson-databind version is affected by CVE-2022-42004 and CVE-2022-42003
Please apply an upgrade to at least 2.13.4.1 in order to fix the vulnerabilities