Bump com.fasterxml.jackson.core/jackson-databind to 2.17.2

node-gradle / gradle-node-plugin

Gradle plugin for integrating NodeJS in your build. :rocket:

Apache License 2.0

616 stars 120 forks source link

Bump com.fasterxml.jackson.core/jackson-databind to 2.17.2 #317

Open sadiqkassamali opened 4 months ago

sadiqkassamali commented 4 months ago

Bump com.fasterxml.jackson.core/jackson-databind to 2.17.2 due to v3 https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-7569538

deepy commented 4 months ago

Unfortunately merging this would require dropping support for Gradle versions older than 7.6. so this is going to need to wait until the next version bump

But on the bright side, actually using this to attack your build would require very specific circumstances so while the CVE has a high severity, it's almost irrelevant here And Gradle's dependency management would allow this to be patched locally where necessary

tkrah commented 3 months ago

That would be really useful, see e.g. here:

https://github.com/CycloneDX/cyclonedx-gradle-plugin/issues/482

deepy commented 3 months ago

Ah, API issues :-/ I was hoping that our usage would be innocuous enough, but I need to take a closer look at this