Conversation
There was a problem hiding this comment.
Pull request overview
This PR bumps the Jackson dependency version from 2.16.1 to 2.18.6 to address the CWE-770 security vulnerability.
Changes:
- Updates the
jacksonversion entry ingradle/libs.versions.tomlfrom2.16.1to2.18.6, which applies to bothjackson-coreandjackson-dataformat-yamlartifacts.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # Current dependency versions (maintained for compatibility) | ||
| gson = "2.10.1" | ||
| jackson = "2.16.1" | ||
| jackson = "2.18.6" |
There was a problem hiding this comment.
Since this Jackson version bump is a security fix for CWE-770, it follows the same pattern as the other security-motivated dependency updates in this project (commons-lang3, commons-compress, kotlin-stdlib). Those updates are placed under the # Security-fixed versions comment block and have corresponding force entries in the resolutionStrategy block in build.gradle to ensure no transitive dependency pulls in an older vulnerable version. The Jackson update is only under # Current dependency versions, and there is no force for com.fasterxml.jackson.core:jackson-databind (or the other Jackson modules) in the resolutionStrategy. Since jackson-databind (where CWE-770 resides) is a transitive dependency brought in by jackson-dataformat-yaml, without a force, another dependency such as rundeck-core could still resolve an older vulnerable version of jackson-databind at runtime.
Update Jackson for CWE-770 to version 2.18.6