Skip to content

chore(server): pin Jackson dataformat dependencies to version 3.2.0#1942

Closed
vinokurig wants to merge 1 commit into
eclipse-openvsx:mainfrom
vinokurig:CVE-2026-50193_CVE-2026-54512
Closed

chore(server): pin Jackson dataformat dependencies to version 3.2.0#1942
vinokurig wants to merge 1 commit into
eclipse-openvsx:mainfrom
vinokurig:CVE-2026-50193_CVE-2026-54512

Conversation

@vinokurig

Copy link
Copy Markdown
Contributor

Add explicit version constraint for Jackson dataformat libraries (YAML, XML, TOML) to address CVE-2026-50193 and CVE-2026-54512.

Add explicit version constraint for Jackson dataformat libraries (YAML, XML, TOML) to address CVE-2026-50193 and CVE-2026-54512.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@cstamas

cstamas commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Why not 3.2.1?

@netomi

netomi commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

so the referenced CVE does not affect the project as it uses 3.1.4 which is the default in the spring boot version we use.

If we need to bump the version, I would prefer to update the jackson bom in general in the build.gradle with using

ext['jackson-bom.version'] = '3.2.0'

https://docs.spring.io/spring-boot/appendix/dependency-versions/properties.html

@vinokurig

Copy link
Copy Markdown
Contributor Author

Closing the PR as the project is NOT affected by the CVEs

@vinokurig vinokurig closed this Jul 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants