This is an automated email from the ASF dual-hosted git repository.
jinwoo pushed a commit to branch develop
in repository https://gitbox.apache.org/repos/asf/geode.git
The following commit(s) were added to refs/heads/develop by this push:
new de876feede GEODE-10565: Jackson upgrade due to security
vulnerabilities (#7990)
de876feede is described below
commit de876feede93a03bac4cd6dba80624a8162528e7
Author: Jinwoo Hwang <[email protected]>
AuthorDate: Wed Mar 11 09:13:43 2026 -0400
GEODE-10565: Jackson upgrade due to security vulnerabilities (#7990)
* jackson upgrade
* Update integration test resources for dependency classpath and bundled
jars: remove byte-buddy, update snakeyaml to 2.3
* Fix integration test snapshots: remove snakeyaml-2.2, add logback jars
* Fix integration test snapshot: remove incorrect logback entries
---
boms/geode-all-bom/src/test/resources/expected-pom.xml | 10 +++++-----
.../geode/gradle/plugins/DependencyConstraints.groovy | 4 ++--
.../src/integrationTest/resources/assembly_content.txt | 15 +++++++--------
.../src/integrationTest/resources/expected_jars.txt | 1 -
.../resources/gfsh_dependency_classpath.txt | 15 +++++++--------
.../integrationTest/resources/dependency_classpath.txt | 15 +++++++--------
6 files changed, 28 insertions(+), 32 deletions(-)
diff --git a/boms/geode-all-bom/src/test/resources/expected-pom.xml
b/boms/geode-all-bom/src/test/resources/expected-pom.xml
index 1aed6be024..e2de17dfbb 100644
--- a/boms/geode-all-bom/src/test/resources/expected-pom.xml
+++ b/boms/geode-all-bom/src/test/resources/expected-pom.xml
@@ -470,27 +470,27 @@
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-annotations</artifactId>
- <version>2.17.0</version>
+ <version>2.18.6</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-core</artifactId>
- <version>2.17.0</version>
+ <version>2.18.6</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
- <version>2.17.0</version>
+ <version>2.18.6</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.datatype</groupId>
<artifactId>jackson-datatype-joda</artifactId>
- <version>2.17.0</version>
+ <version>2.18.6</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.datatype</groupId>
<artifactId>jackson-datatype-jsr310</artifactId>
- <version>2.17.0</version>
+ <version>2.18.6</version>
</dependency>
<dependency>
<groupId>com.jayway.jsonpath</groupId>
diff --git
a/build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy
b/build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy
index ac814c526f..a90712d830 100644
---
a/build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy
+++
b/build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy
@@ -53,8 +53,8 @@ class DependencyConstraints {
deps.put("slf4j-api.version", "2.0.17")
deps.put("jakarta.transaction-api.version", "2.0.1")
deps.put("jboss-modules.version", "1.11.0.Final")
- deps.put("jackson.version", "2.17.0")
- deps.put("jackson.databind.version", "2.17.0")
+ deps.put("jackson.version", "2.18.6")
+ deps.put("jackson.databind.version", "2.18.6")
// Spring Framework 6.x Migration
deps.put("springshell.version", "3.3.3")
deps.put("springframework.version", "6.1.14")
diff --git a/geode-assembly/src/integrationTest/resources/assembly_content.txt
b/geode-assembly/src/integrationTest/resources/assembly_content.txt
index f368dbfbf4..62a540f3d7 100644
--- a/geode-assembly/src/integrationTest/resources/assembly_content.txt
+++ b/geode-assembly/src/integrationTest/resources/assembly_content.txt
@@ -923,7 +923,6 @@ lib/antlr-runtime-3.5.2.jar
lib/asm-9.8.jar
lib/asm-commons-9.8.jar
lib/asm-tree-9.8.jar
-lib/byte-buddy-1.14.9.jar
lib/classgraph-4.8.147.jar
lib/classmate-1.5.1.jar
lib/commons-beanutils-1.11.0.jar
@@ -964,12 +963,12 @@ lib/httpclient5-5.4.4.jar
lib/httpcore5-5.3.4.jar
lib/httpcore5-h2-5.3.4.jar
lib/istack-commons-runtime-4.1.1.jar
-lib/jackson-annotations-2.17.0.jar
-lib/jackson-core-2.17.0.jar
-lib/jackson-databind-2.17.0.jar
-lib/jackson-dataformat-yaml-2.17.0.jar
-lib/jackson-datatype-joda-2.17.0.jar
-lib/jackson-datatype-jsr310-2.17.0.jar
+lib/jackson-annotations-2.18.6.jar
+lib/jackson-core-2.18.6.jar
+lib/jackson-databind-2.18.6.jar
+lib/jackson-dataformat-yaml-2.18.6.jar
+lib/jackson-datatype-joda-2.18.6.jar
+lib/jackson-datatype-jsr310-2.18.6.jar
lib/jakarta.activation-api-2.1.3.jar
lib/jakarta.annotation-api-2.1.1.jar
lib/jakarta.el-api-5.0.0.jar
@@ -1042,7 +1041,7 @@ lib/shiro-crypto-hash-1.13.0.jar
lib/shiro-event-1.13.0.jar
lib/shiro-lang-1.13.0.jar
lib/slf4j-api-2.0.17.jar
-lib/snakeyaml-2.2.jar
+lib/snakeyaml-2.3.jar
lib/snappy-0.5.jar
lib/spring-aop-6.1.14.jar
lib/spring-beans-6.1.14.jar
diff --git a/geode-assembly/src/integrationTest/resources/expected_jars.txt
b/geode-assembly/src/integrationTest/resources/expected_jars.txt
index 8402711e4e..cc35c17ab8 100644
--- a/geode-assembly/src/integrationTest/resources/expected_jars.txt
+++ b/geode-assembly/src/integrationTest/resources/expected_jars.txt
@@ -9,7 +9,6 @@ antlr-runtime
asm
asm-commons
asm-tree
-byte-buddy
classgraph
classmate
commons-beanutils
diff --git
a/geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt
b/geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt
index 3597de43cb..05408cc999 100644
--- a/geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt
+++ b/geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt
@@ -21,12 +21,12 @@ spring-shell-starter-3.3.3.jar
spring-web-6.1.14.jar
commons-lang3-3.18.0.jar
rmiio-2.1.2.jar
-jackson-datatype-jsr310-2.17.0.jar
-jackson-datatype-joda-2.17.0.jar
-jackson-annotations-2.17.0.jar
-jackson-core-2.17.0.jar
-jackson-dataformat-yaml-2.17.0.jar
-jackson-databind-2.17.0.jar
+jackson-datatype-joda-2.18.6.jar
+jackson-annotations-2.18.6.jar
+jackson-dataformat-yaml-2.18.6.jar
+jackson-core-2.18.6.jar
+jackson-datatype-jsr310-2.18.6.jar
+jackson-databind-2.18.6.jar
swagger-annotations-2.2.22.jar
jaxb-runtime-4.0.2.jar
jaxb-core-4.0.2.jar
@@ -113,12 +113,10 @@ jul-to-slf4j-2.0.16.jar
jetty-jndi-12.0.27.jar
jetty-util-12.0.27.jar
slf4j-api-2.0.17.jar
-byte-buddy-1.14.9.jar
micrometer-observation-1.14.0.jar
spring-jcl-6.1.14.jar
micrometer-commons-1.14.0.jar
LatencyUtils-2.0.3.jar
-snakeyaml-2.2.jar
reactor-core-3.6.10.jar
jline-console-3.26.3.jar
jline-builtins-3.26.3.jar
@@ -127,6 +125,7 @@ jline-style-3.26.3.jar
jline-terminal-3.26.3.jar
ST4-4.3.3.jar
txw2-4.0.2.jar
+snakeyaml-2.3.jar
asm-commons-9.8.jar
asm-tree-9.8.jar
asm-9.8.jar
diff --git
a/geode-server-all/src/integrationTest/resources/dependency_classpath.txt
b/geode-server-all/src/integrationTest/resources/dependency_classpath.txt
index b0e712fd87..6c5dea8561 100644
--- a/geode-server-all/src/integrationTest/resources/dependency_classpath.txt
+++ b/geode-server-all/src/integrationTest/resources/dependency_classpath.txt
@@ -19,12 +19,12 @@ geode-unsafe-0.0.0.jar
geode-deployment-legacy-0.0.0.jar
snappy-0.5.jar
swagger-annotations-2.2.22.jar
-jackson-datatype-jsr310-2.17.0.jar
-jackson-annotations-2.17.0.jar
-jackson-dataformat-yaml-2.17.0.jar
-jackson-core-2.17.0.jar
-jackson-datatype-joda-2.17.0.jar
-jackson-databind-2.17.0.jar
+jackson-datatype-jsr310-2.18.6.jar
+jackson-annotations-2.18.6.jar
+jackson-dataformat-yaml-2.18.6.jar
+jackson-core-2.18.6.jar
+jackson-datatype-joda-2.18.6.jar
+jackson-databind-2.18.6.jar
httpclient5-5.4.4.jar
httpcore5-h2-5.3.4.jar
httpcore5-5.3.4.jar
@@ -116,8 +116,6 @@ slf4j-api-2.0.17.jar
micrometer-observation-1.14.0.jar
micrometer-commons-1.14.0.jar
LatencyUtils-2.0.3.jar
-byte-buddy-1.14.9.jar
-snakeyaml-2.2.jar
spring-jcl-6.1.14.jar
asm-commons-9.8.jar
asm-tree-9.8.jar
@@ -130,6 +128,7 @@ jline-reader-3.26.3.jar
jline-style-3.26.3.jar
jline-terminal-3.26.3.jar
ST4-4.3.3.jar
+snakeyaml-2.3.jar
jakarta.enterprise.lang-model-4.0.1.jar
reactive-streams-1.0.4.jar
jline-native-3.26.3.jar
