Upgrade jackson-core to latest. Is this repo still maintained ? #60
Comments
|
One idea for the long term could be to mark the dependency jackson-databind as provided (inside the pom of this repo). <dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<scope>provided</scope>
</dependency>This would require all consumers of this dependency to also declare jackson-databind in their dependency section (which is probably already done by most consumers) but on the other hand provide way more flexibility which jackson version to use. Could anyone share some opinions regarding my idea? :) |
plumstone
added a commit
to plumstone/jackson-databind-nullable
that referenced
this issue
Apr 28, 2025
plumstone
added a commit
to plumstone/jackson-databind-nullable
that referenced
this issue
May 1, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello,
Our vulnerability scanner keeps raising alerts because we're using open-api-generator which relies on jackson-databind-nullable.
It seems the latest version here was released in Febuary 2023 and is dependent on com.fasterxml.jackson.core:[email protected] which introduce a CWE-400 (see FasterXML/jackson-core#861)
I can see a PR that could fix this issue is opened here #52 but no follow-up was done since August 2024. Any chance to get it merged ? Is this repo still maintained ?
Regards :)
Guillaume
The text was updated successfully, but these errors were encountered: