Closed raptorshots closed 3 years ago
This is a duplicate of #315. See the analysis of how this Jackson issue affects Spring Cloud Connectors in this comment. Please add a comment to that issue if you have additional feedback.
Also note that Connectors is in maintenance mode, and should be replaced by the use of Java CFEnv (which does not shade Jackson dependencies and therefore is not subject to this type of issue).
We are using
spring-cloud-cloudfoundry-connector
in our applications deployed in Tanzu Platform. Version is2.0.7.RELEASE
.However this version is flagged as vulnerable by Application Security tools such as jFrog Xray Platform because of the vulnerable transitive dependency
Jackson-Databind : 2.10.0
Will it be possible to release a version with non-vulnerable version of
jackson-databind
such as2.10.5.1
which is the closest non-vulnerable version?For reference
https://snyk.io/vuln/maven:com.fasterxml.jackson.core:jackson-databind@2.10 https://snyk.io/vuln/maven:com.fasterxml.jackson.core:jackson-databind@2.10.5.1