fix(deps): bump jackson to 2.18.8 to fix CVE-2025-52999 (high-severity DoS)

[joerg84]

Summary

Fixes CVE-2025-52999 (HIGH, CVSS v4 8.7) in jackson-core 2.14.2 — a StackOverflowError when parsing deeply nested JSON that allows an unauthenticated remote denial of service. The fix is jackson-core ≥ 2.15.0, which introduces StreamReadConstraints (default max nesting depth = 1000).

Changes

• Bump com.fasterxml.jackson.core:jackson-core and jackson-databind 2.14.2 → 2.18.8 (kept on the same version to avoid core/databind drift). jackson-annotations follows transitively at 2.18.8.
• shadowJar: exclude 'META-INF/versions/21/**'.

Why the shadowJar exclude is needed

jackson-core 2.15+ ships as a multi-release JAR that bundles Java 21 (class-file major 65) variants under META-INF/versions/21. The Shadow 8.1.1 plugin relocates com.fasterxml, and its bundled ASM cannot read major version 65, failing the build with Unsupported class file major version 65. This is the same failure that currently blocks the Dependabot bump in #217 (its CI is red on all build jobs).

Dropping the JDK-21-only optimized classes from the fat jar is safe:

• The fat jar (*-all.jar) is not the published Maven artifact — publishing uses components.java (the thin jar) with a normal dependency POM.
• The base (Java 8) jackson classes remain, and multi-release fallback covers JDK 17/21 at runtime. versions/9/11/17 are retained.

A more thorough alternative is to modernize the Shadow plugin (com.gradleup.shadow). I kept that out of this CVE fix because the Java-8 CI matrix job constrains us to shadow ≤ 8.3.1 and the upgrade carries package/DSL changes I couldn't validate on a Java 8 build JVM locally. Happy to do it as a follow-up.

Verification

• ./gradlew clean build jar compileIntegrationTestJava → BUILD SUCCESSFUL, 90/90 unit tests pass (JDK 17, Gradle 8.5).
• Confirmed in the produced *-all.jar: relocated jackson present, StreamReadConstraints present (the CVE fix), META-INF/versions/21 removed, versions/9/11/17 retained.

Notes

• Supersedes Dependabot Bump com.fasterxml.jackson.core:jackson-core from 2.14.2 to 2.18.6 #217 (which bumps only jackson-core and is red in CI). This PR bumps both modules and unblocks the build. Recommend closing Bump com.fasterxml.jackson.core:jackson-core from 2.14.2 to 2.18.6 #217 once this merges.

🤖 Generated with Claude Code

---

Note

Medium Risk
Touches JSON parsing on all Jackson code paths and changes fat-jar contents; behavior change is intended (nesting limits) with a targeted Shadow workaround rather than a plugin upgrade.

Overview
Upgrades Jackson (jackson-core and jackson-databind) from 2.14.2 → 2.21.4 in main and test dependencies, addressing CVE-2025-52999 (high-severity DoS via deeply nested JSON parsing in older jackson-core).

Unblocks the Shadow fat JAR build after the bump: shadowJar now excludes META-INF/versions/21/** so Shadow 8.1.1’s relocation of com.fasterxml no longer hits Java 21 (class major 65) multi-release entries that its ASM cannot process. JDK-21-only optimized classes are omitted from the *-all.jar; the published thin Maven artifact is unchanged.

^{Reviewed by Cursor Bugbot for commit ed1ef40. Bugbot is set up for automated code reviews on this repo. Configure here.}

[rohanshah18]

Thank you for fixing this! Changes do make sense. Just one question, any particular reason for choosing v2.18.8 instead of the latest version?

[joerg84]

Thanks for the review @rohanshah18! No strong reason — I'd initially matched the 2.18.x line from Dependabot #217. Per your suggestion I've bumped to the latest 2.x, 2.22.0 (just pushed).

A couple of notes on the version choice:

• 2.22.0 is still Java 8 compatible (manifest still declares JavaSE 1.8) and has the same multi-release profile (Java 21 classes under META-INF/versions/21), so the shadowJar exclude is unchanged and the build stays green on the Java 8/11/16/17 matrix.
• jackson 3.x is intentionally avoided: 3.x ships under new Maven coordinates (tools.jackson.*) and requires Java 17, whereas this client targets Java 8 — so it'd be a breaking change, not a drop-in bump.

CI is re-running on the new commit; I'll keep an eye on it.

[joerg84]

Great call — you're right, 2.22 is non-LTS (short-lived branch) and 2.21 is the LTS line with a ~2-year support window and security backports, which is the better choice for a published library. Switched to the latest 2.21 patch, 2.21.4 (just pushed).

2.21.4 is Java 8 compatible (Build-Jdk-Spec: 1.8) with the same multi-release profile, so the shadowJar exclude is unchanged and the build stays green. Verified locally: 90/90 unit tests pass, jackson resolves to 2.21.4, StreamReadConstraints (the CVE-2025-52999 fix) is present.