jjoyce0510
commented
2 years ago @junchuanwang do you think we can get this one prioritized?
Open jjoyce0510 opened 2 years ago
jjoyce0510
commented
2 years ago @junchuanwang do you think we can get this one prioritized?
junchuanwang
commented
2 years ago @jjoyce0510 do you think you can raise a PR? I will review it. My hunch is chaging the import path name ( org.codehaus.jackson vs com.fasterxml.jackson.core) is the only thing needed.
fm-gawdeprasad
commented
2 years ago @jjoyce0510 @junchuanwang IS this change released or do we have any ETA for this fix? We are planning to use Parseq post this fix.
nipundave
commented
2 years ago @jjoyce0510 @junchuanwang : I have made the required changes but don't have permission to push these changes or create a PR. I have attached a file containing the changes.
Can one of you please review and push these changes out ASAP? jackson-update.txt
junchuanwang
commented
2 years ago @jjoyce0510 @junchuanwang : I have made the required changes but don't have permission to push these changes or create a PR. I have attached a file containing the changes.
Can one of you please review and push these changes out ASAP? jackson-update.txt
@evanw555 I think this is a safe change, can you convert this to an PR?
Parseq depends on jackson-mapper-asl, which has not been updated for many years and has been since deprecated, moved to jackson-databind under FastXML.
This library has a serious CVE that can only be addressed by migrating from jackson-mapper-asl to jackson-databind module at a later version (preferably 2.13.2.2)
This ticket is for doing this migration with Parseq. Because Restli client depends on Parseq, this dependency bubbles up to anyone depending on Rest.li client as well.