Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Jackson BOM to 2.13.2.20220328 #24554

Merged
merged 1 commit into from Mar 29, 2022
Merged

Update Jackson BOM to 2.13.2.20220328 #24554

merged 1 commit into from Mar 29, 2022

Conversation

jorsol
Copy link
Contributor

@jorsol jorsol commented Mar 25, 2022
edited

This fix a potential security issue GHSA-57j2-w4cx-62h2 in Jackson: FasterXML/jackson-databind#2816

@quarkus-bot quarkus-bot bot added the area/dependencies Pull requests that update a dependency file label Mar 25, 2022
@quarkus-bot
Copy link

quarkus-bot bot commented Mar 25, 2022

Thanks for your pull request!

The title of your pull request does not follow our editorial rules. Could you have a look?

  • title should preferably start with an uppercase character (if it makes sense!)
  • title should not start with chore/docs/feat/fix/refactor but be a proper sentence

This message is automatically generated by a bot.

@jorsol jorsol changed the title fix(security): Update Jackson BOM to 2.13.2.20220324 Update Jackson BOM to 2.13.2.20220324 Mar 25, 2022
@quarkus-bot quarkus-bot bot added area/devtools Issues/PR related to maven, gradle, platform and cli tooling/plugins area/platform Issues related to definition and interaction with Quarkus Platform labels Mar 25, 2022
@quarkus-bot

This comment has been minimized.

Sign in to view
gsmet
gsmet previously requested changes Mar 25, 2022
View reviewed changes
independent-projects/tools/pom.xml Show resolved Hide resolved
@gsmet gsmet mentioned this pull request Mar 25, 2022
Closed
@gsmet gsmet dismissed their stale review March 25, 2022 22:26

Changes look OK in the end but we need to figure out why the failures.

@famod
Copy link
Member

famod commented Mar 25, 2022

Gradle seems to have trouble getting the fixed databind dependency. Others seem to have similar issues: FasterXML/jackson-databind#2816 (comment)

@quarkus-bot

This comment has been minimized.

Sign in to view
@jorsol

This comment was marked as outdated.

Sign in to view
@jorsol jorsol mentioned this pull request Mar 26, 2022
Closed
@jorsol
Copy link
Contributor Author

jorsol commented Mar 26, 2022
edited

Ok, yes, there is an issue with Jackson and Gradle: FasterXML/jackson-databind#3428

In summary, Jackson contains wrong metadata for Gradle and a new patch release is currently being discussed right now: FasterXML/jackson-bom#52 (comment)

@quarkus-bot

This comment has been minimized.

Sign in to view
@jorsol
fix(security): Update Jackson BOM to 2.13.2.20220328
b6355f6 
Signed-off-by: Jorge Solórzano <jorsol@gmail.com>
@jorsol jorsol changed the title Update Jackson BOM to 2.13.2.20220324 Update Jackson BOM to 2.13.2.20220328 Mar 29, 2022
@jorsol
Copy link
Contributor Author

jorsol commented Mar 29, 2022

@gsmet a new jackson-bom with the fix for the Gradle Module Metadata is released, now the Gradle tests pass.

I leave the cleanup here since it doesn't break anything and I have renamed the property to jackson-bom.version since the bom version not always match the components version (and the bom should be used anyway), it would be more clear that the property refers to the bom version since components with a patch version don't necessarily match.

gsmet
gsmet approved these changes Mar 29, 2022
View reviewed changes
Copy link
Member

@gsmet gsmet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, thanks. Let's see what CI has to say!

@jorsol
Copy link
Contributor Author

jorsol commented Mar 29, 2022

Ready to go!

@gsmet gsmet merged commit 2785a24 into quarkusio:main Mar 29, 2022
@quarkus-bot quarkus-bot bot added this to the 2.9 - main milestone Mar 29, 2022
@jorsol jorsol deleted the fix-CVE-2020-36518 branch March 29, 2022 15:59
@gsmet gsmet modified the milestones: 2.9 - main, 2.8.0.Final Mar 29, 2022
@gsmet gsmet mentioned this pull request Mar 31, 2022
Closed
@gsmet gsmet modified the milestones: 2.8.0.Final, 2.7.6.Final May 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gsmet gsmet gsmet approved these changes

Assignees
No one assigned
Labels
area/dependencies Pull requests that update a dependency file area/devtools Issues/PR related to maven, gradle, platform and cli tooling/plugins area/maven area/platform Issues related to definition and interaction with Quarkus Platform
Projects
None yet
Milestone
2.7.6.Final
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jorsol @famod @gsmet