Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump jackson-databind dependency to 2.13.2 #542

Merged
merged 3 commits into from
Mar 13, 2022

Conversation

evansims
Copy link
Member

@evansims evansims commented Mar 13, 2022

Changes

This PR bumps the jackson-databind dependency to 2.13.2. This addresses CVE-2020-36518 for that dependency.

References

Testing

Please describe how this can be tested by reviewers. Be specific about anything not tested and reasons why. If this library has unit and/or integration testing, tests should be added for new functionality and existing tests should complete without errors.

  • This change adds test coverage
  • This change has been tested on the latest version of Java or why not

Checklist

@evansims evansims added CH: Security dependencies One or more dependencies are being bumped review:tiny Tiny review labels Mar 13, 2022
@evansims evansims marked this pull request as ready for review March 13, 2022 01:04
@evansims evansims requested a review from a team as a code owner March 13, 2022 01:04
@evansims evansims changed the title Bump jackson-databind dependency to 2.13 Bump jackson-databind dependency to 2.13.2 Mar 13, 2022
Copy link
Contributor

@poovamraj poovamraj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @evansims, We actually wanted to update to this version for our major anyways.

@poovamraj poovamraj merged commit 22f3147 into master Mar 13, 2022
@jimmyjames jimmyjames added this to the 3.19.0 milestone Mar 14, 2022
@jimmyjames jimmyjames mentioned this pull request Mar 14, 2022
poovamraj pushed a commit that referenced this pull request Mar 16, 2022
* Bump `jackson-databind` dependency to 2.13

* Update build.gradle

* Update build.gradle
poovamraj added a commit that referenced this pull request Mar 25, 2022
* Bump `jackson-databind` dependency to 2.13.2 (#542)

* Bump `jackson-databind` dependency to 2.13

* Update build.gradle

* Update build.gradle

* Deprecate ES256K Algorithm (#543)

* [SDK-3192] Deprecate secp256k1 curve for EC Algorithms

* Documentation update

* Release 3.19.0

Co-authored-by: Evan Sims <[email protected]>
Co-authored-by: James Anderson <[email protected]>
@overheadhunter
Copy link
Contributor

overheadhunter commented Mar 29, 2022

This actually doesn't change anything, as the CPE includes version 2.13.2. The issue got fixed in 2.13.2.1 or 2.13.2.2 (see FasterXML/jackson-databind#2816)

Edit: Just found #566, please head over to the new PR and ignore this comment 😉

@evansims evansims deleted the chore/update-jackson-databind branch July 5, 2022 21:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
CH: Security dependencies One or more dependencies are being bumped review:tiny Tiny review
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants