Bump jackson-databind to 2.13.2.2 via switching to BOM

Individual libs in Jackson don't necessarily all get released at the same time. The BOM is the right way to ensure versions are all on latest. In this case, to get a CVE patched within databind. See FasterXML/jackson-databind#3428 for more detail
chadlwilson · Mar 30, 2022 · f7c2a39 · f7c2a39
1 parent f62189b
commit f7c2a39
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 5 deletions.
diff --git a/dependencies.gradle b/dependencies.gradle
@@ -61,7 +61,7 @@ final Map<String, String> libraries = [
   hamcrest            : 'org.hamcrest:hamcrest-core:2.2',
   hibernate           : 'org.hibernate:hibernate-ehcache:3.6.10.Final',
   httpClientMock      : 'com.github.paweladamski:HttpClientMock:1.10.0',
-  jackson             : 'com.fasterxml.jackson.core:jackson-core:2.13.2',
+  jacksonBom          : 'com.fasterxml.jackson:jackson-bom:2.13.2.20220328',
   javaAssist          : 'javassist:javassist:3.12.1.GA',
   javaxAnnotation     : 'javax.annotation:javax.annotation-api:1.3.2',
   jaxb                : 'javax.xml.bind:jaxb-api:2.3.1',
@@ -142,7 +142,7 @@ final Map<String, String> v = [
   h2                  : versionOf(libraries.h2),
   hamcrest            : versionOf(libraries.hamcrest),
   hibernate           : versionOf(libraries.hibernate),
-  jackson             : versionOf(libraries.jackson),
+  jacksonBom          : versionOf(libraries.jacksonBom),
   javaAssist          : versionOf(libraries.javaAssist),
   javaxAnnotation     : versionOf(libraries.javaxAnnotation),
   jaxb                : versionOf(libraries.jaxb),
@@ -196,7 +196,6 @@ final Map<String, String> related = [
   aspectjWeaver           : "org.aspectj:aspectjweaver:${v.aspectj}",
   bouncyCastlePkix        : "org.bouncycastle:bcpkix-jdk15on:${v.bouncyCastle}",
   hamcrestLibrary         : "org.hamcrest:hamcrest-library:${v.hamcrest}",
-  jacksonDatabind         : "com.fasterxml.jackson.core:jackson-databind:${v.jackson}",
   jaxbRuntime             : "org.glassfish.jaxb:jaxb-runtime:${v.jaxb}",
   jettyDeploy             : "org.eclipse.jetty:jetty-deploy:${v.jetty}",
   jettyJmx                : "org.eclipse.jetty:jetty-jmx:${v.jetty}",

diff --git a/spark/spark-base/build.gradle b/spark/spark-base/build.gradle
@@ -20,8 +20,9 @@ dependencies {
   api project(':common')
   api project(':server')
 
-  implementation project.deps.jackson
-  implementation project.deps.jacksonDatabind
+  implementation(platform(project.deps.jacksonBom))
+  implementation 'com.fasterxml.jackson.core:jackson-core'
+  implementation 'com.fasterxml.jackson.core:jackson-databind'
   implementation project.deps.springWeb
 
   api(project.deps.spark) {