We depend on both jackson-databind and jackson-module-scala, and explicitly ask for version 2.15.x to avoid vulnerabiltiies in 2.14.x (play's preferred version). The AWS SDK depends on jackson at version 2.17.x, which evicts our version (2.15.x) for jackson-databind, but not for the jackson-module-scala (which it doesn't know about). These incompatible versions throw an exception at start time, so the Play server does not start.
Bumping our override to 2.17.x resolves the incompatibility.
What is the value of this?
The server will start :-)
Any additional notes?
The risk with this change is that play does not work with jackson at v2.17.x. This was already an issue, because we were forcing 2.15.x. We'll keep an eye out.
All deployment options
- [Deploy build 2919 of `security-hq` to CODE](https://riffraff.gutools.co.uk/deployment/deployAgain?project=security-hq&build=2919&stage=CODE&updateStrategy=MostlyHarmless&action=deploy)
- [Deploy parts of build 2919 to CODE by previewing it first](https://riffraff.gutools.co.uk/preview/yaml?project=security-hq&build=2919&stage=CODE&updateStrategy=MostlyHarmless)
- [What's on CODE right now?](https://riffraff.gutools.co.uk/deployment/history?projectName=security-hq&stage=CODE)
github-actions[bot]
commented
2 months ago
What does this change?
We depend on both jackson-databind and jackson-module-scala, and explicitly ask for version 2.15.x to avoid vulnerabiltiies in 2.14.x (play's preferred version). The AWS SDK depends on jackson at version 2.17.x, which evicts our version (2.15.x) for jackson-databind, but not for the jackson-module-scala (which it doesn't know about). These incompatible versions throw an exception at start time, so the Play server does not start.
Bumping our override to 2.17.x resolves the incompatibility.
What is the value of this?
The server will start :-)
Any additional notes?
The risk with this change is that play does not work with jackson at v2.17.x. This was already an issue, because we were forcing 2.15.x. We'll keep an eye out.