Upgrade Jackson dependency

restlet / restlet-framework-java

The first REST API framework for Java

https://restlet.talend.com

647 stars 284 forks source link

Upgrade Jackson dependency #1329

Closed thboileau closed 6 years ago

thboileau commented 6 years ago

Restlet's Jackson extension currently depends on Jackson 2.4.4, which is known to be affected by security issues

CVE-2017-15095
CVE-2017-17485
CVE-2017-7525
CVE-2018-7489
CVE-2018-5968
CVE-2016-7051
CVE-2016-3720

Updating this dependency to 2.9.6.

thboileau commented 6 years ago

Hi @Tembrel I remember that you were quite reluctant to upgrade. It's easiest for us to do so; in 2.4 branch and it allows to adopt bug fixes. You can still switch to older versions of Jackson, the API is similar.

Tembrel commented 6 years ago

I remember newer versions of Jackson broke existing code for me, but there's no reason that anyone else should suffer. I'll either figure out why it broke or stick with an older Restlet version.