Update jackson deps to the latest version

[slunker]

Update jackson-databind to 2.13.2.1 as it fixes CVE-2020-36518. For this version of jackson-databind it was necessary to use a different bom - see FasterXML/jackson-databind#3428

The jackson-databind issue describing the CVE is here: FasterXML/jackson-databind#2816

[emlun]

Thanks!

[slunker]

no problem. Any idea when is this going to be released?

[emlun]

Likely next week when we put out a 1.12.3-RC2 with some deprecation notes for features being removed in the upcoming 2.0 release.

But note that the library states dependencies by version ranges, and this version bump is just the lower bound. Downstream projects can (and should) also add their own version constraints to account for vulnerabilities, and don't have to wait for their dependencies to do so (unless upstream dependencies have incompatible version constraints, of course, which is why we state them as ranges).

[travisspencer]

We upgraded before this, @emlun , as you say. The issue is that Jackson databind makes breaking changes between minors, we've heard it said. So, we were a bit leery to make that bump. We wanted to be sure that the version passed all of the project's tests and looks good from the maintainers' PoV. We also wanted to be good OSS users and contribute back, even if it was small.

[emlun]

@slunker This is now out in pre-release 1.12.3-RC2. Our usual procedure is to let RC releases sit for about 2 weeks before promoting them to a non-RC release.

@travisspencer I see, thank you for contributing! (I assume you are affiliated with @slunker?)

[travisspencer]

We (@slunker , me and the rest of the Curity crew) are fixing a few other issues ATM, @emlun. Maybe we can do some testing before the RC is released. Can you switch us to this new version, @daniellindau, and see if you hit any problems?

[travisspencer]

BTW, @daniellindau told me yesterday, @emlun , that we've switched to the RC2 build. We'll report in errors to the issue tracker if any arise.