Bump com.fasterxml.jackson.core:jackson-core from 2.14.2 to 2.18.6#217
Open
dependabot[bot] wants to merge 1 commit into
Open
Bump com.fasterxml.jackson.core:jackson-core from 2.14.2 to 2.18.6#217dependabot[bot] wants to merge 1 commit into
dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [com.fasterxml.jackson.core:jackson-core](https://github.com/FasterXML/jackson-core) from 2.14.2 to 2.18.6. - [Commits](FasterXML/jackson-core@jackson-core-2.14.2...jackson-core-2.18.6) --- updated-dependencies: - dependency-name: com.fasterxml.jackson.core:jackson-core dependency-version: 2.18.6 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
joerg84
added a commit
that referenced
this pull request
Jun 5, 2026
…y DoS) (#221) ## Summary Fixes **CVE-2025-52999** (HIGH, CVSS v4 8.7) in `jackson-core` 2.14.2 — a `StackOverflowError` when parsing deeply nested JSON that allows an unauthenticated remote **denial of service**. The fix is jackson-core ≥ 2.15.0, which introduces `StreamReadConstraints` (default max nesting depth = 1000). ## Changes - Bump `com.fasterxml.jackson.core:jackson-core` and `jackson-databind` **2.14.2 → 2.18.8** (kept on the same version to avoid core/databind drift). `jackson-annotations` follows transitively at 2.18.8. - `shadowJar`: `exclude 'META-INF/versions/21/**'`. ### Why the shadowJar exclude is needed jackson-core 2.15+ ships as a multi-release JAR that bundles **Java 21 (class-file major 65)** variants under `META-INF/versions/21`. The Shadow **8.1.1** plugin relocates `com.fasterxml`, and its bundled ASM cannot read major version 65, failing the build with `Unsupported class file major version 65`. This is the **same failure that currently blocks the Dependabot bump in #217** (its CI is red on all `build` jobs). Dropping the JDK-21-only optimized classes from the **fat jar** is safe: - The fat jar (`*-all.jar`) is **not the published Maven artifact** — publishing uses `components.java` (the thin jar) with a normal dependency POM. - The base (Java 8) jackson classes remain, and multi-release fallback covers JDK 17/21 at runtime. `versions/9/11/17` are retained. A more thorough alternative is to modernize the Shadow plugin (`com.gradleup.shadow`). I kept that out of this CVE fix because the Java-8 CI matrix job constrains us to shadow ≤ 8.3.1 and the upgrade carries package/DSL changes I couldn't validate on a Java 8 build JVM locally. Happy to do it as a follow-up. ## Verification - `./gradlew clean build jar compileIntegrationTestJava` → **BUILD SUCCESSFUL**, 90/90 unit tests pass (JDK 17, Gradle 8.5). - Confirmed in the produced `*-all.jar`: relocated jackson present, `StreamReadConstraints` present (the CVE fix), `META-INF/versions/21` removed, `versions/9/11/17` retained. ## Notes - Supersedes Dependabot **#217** (which bumps only `jackson-core` and is red in CI). This PR bumps both modules and unblocks the build. Recommend closing #217 once this merges. 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Touches JSON parsing on all Jackson code paths and changes fat-jar contents; behavior change is intended (nesting limits) with a targeted Shadow workaround rather than a plugin upgrade. > > **Overview** > **Upgrades Jackson** (`jackson-core` and `jackson-databind`) from **2.14.2 → 2.21.4** in main and test dependencies, addressing **CVE-2025-52999** (high-severity DoS via deeply nested JSON parsing in older `jackson-core`). > > **Unblocks the Shadow fat JAR build** after the bump: `shadowJar` now **excludes `META-INF/versions/21/**`** so Shadow 8.1.1’s relocation of `com.fasterxml` no longer hits Java 21 (class major 65) multi-release entries that its ASM cannot process. JDK-21-only optimized classes are omitted from the `*-all.jar`; the published thin Maven artifact is unchanged. > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit ed1ef40. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: joerg84 <joerg@pinecone.io> Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps com.fasterxml.jackson.core:jackson-core from 2.14.2 to 2.18.6.
Commits
9a46ef8[maven-release-plugin] prepare release jackson-core-2.18.65f192dbPrep for 2.18.6 releaseb0c428eEnforceStreamReadConstraints.maxNumberLengthfor non-blocking (async) pars...7c8b6d5Add test for nesting forDataInput-backedJsonParser(#1550)97a647bUpdate CI: JDK 23 -> 251601331(backport from 2.21) Fix #1548: validate max doc length for fixed buffer inpu...fae2542release notes update70c99baUpdate UTF8DataInputJsonParser.java (#1512)caea665Post-release dep version bump635d3bd[maven-release-plugin] prepare for next development iterationDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.
Note
Low Risk
Dependency-only version bumps; main risk is potential runtime/test behavior changes in JSON parsing/serialization due to Jackson upgrade.
Overview
Updates Jackson dependencies in
build.gradle, bumpingcom.fasterxml.jackson.core:jackson-coreandcom.fasterxml.jackson.core:jackson-databind(including the test dependency) from2.14.2to2.18.6.Written by Cursor Bugbot for commit 75acf95. This will update automatically on new commits. Configure here.