Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump jackson-databind dependency to 2.13.2 #542

Merged
merged 3 commits into from Mar 13, 2022
Merged

Bump jackson-databind dependency to 2.13.2 #542

merged 3 commits into from Mar 13, 2022

Conversation

evansims
Copy link
Member

@evansims evansims commented Mar 13, 2022
edited

Changes

This PR bumps the jackson-databind dependency to 2.13.2. This addresses CVE-2020-36518 for that dependency.

References

Testing

Please describe how this can be tested by reviewers. Be specific about anything not tested and reasons why. If this library has unit and/or integration testing, tests should be added for new functionality and existing tests should complete without errors.

  • This change adds test coverage
  • This change has been tested on the latest version of Java or why not

Checklist

@evansims evansims added CH: Security dependencies One or more dependencies are being bumped review:tiny Tiny review labels Mar 13, 2022
@evansims evansims marked this pull request as ready for review March 13, 2022 01:04
@evansims evansims requested a review from a team as a code owner March 13, 2022 01:04
@evansims evansims changed the title Bump jackson-databind dependency to 2.13 Bump jackson-databind dependency to 2.13.2 Mar 13, 2022
poovamraj
poovamraj approved these changes Mar 13, 2022
View reviewed changes
Copy link
Contributor

@poovamraj poovamraj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @evansims, We actually wanted to update to this version for our major anyways.

@poovamraj poovamraj merged commit 22f3147 into master Mar 13, 2022
@jimmyjames jimmyjames added this to the 3.19.0 milestone Mar 14, 2022
@jimmyjames jimmyjames mentioned this pull request Mar 14, 2022
Merged
poovamraj pushed a commit that referenced this pull request Mar 16, 2022
@evansims @poovamraj
Bump jackson-databind dependency to 2.13.2 (#542)
9d079de 
* Bump `jackson-databind` dependency to 2.13

* Update build.gradle

* Update build.gradle
poovamraj added a commit that referenced this pull request Mar 25, 2022
@poovamraj @evansims @jimmyjames
Catch up v4 to master (#552)
7f45ff7 
* Bump `jackson-databind` dependency to 2.13.2 (#542)

* Bump `jackson-databind` dependency to 2.13

* Update build.gradle

* Update build.gradle

* Deprecate ES256K Algorithm (#543)

* [SDK-3192] Deprecate secp256k1 curve for EC Algorithms

* Documentation update

* Release 3.19.0

Co-authored-by: Evan Sims <evan.sims@auth0.com>
Co-authored-by: James Anderson <jim.anderson@auth0.com>
@overheadhunter
Copy link
Contributor

overheadhunter commented Mar 29, 2022
edited

This actually doesn't change anything, as the CPE includes version 2.13.2. The issue got fixed in 2.13.2.1 or 2.13.2.2 (see FasterXML/jackson-databind#2816)

Edit: Just found #566, please head over to the new PR and ignore this comment 😉

@evansims evansims deleted the chore/update-jackson-databind branch July 5, 2022 21:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@poovamraj poovamraj poovamraj approved these changes

Assignees
No one assigned
Labels
CH: Security dependencies One or more dependencies are being bumped review:tiny Tiny review
Projects
None yet
Milestone
3.19.0
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@evansims @overheadhunter @poovamraj @jimmyjames