This is an automated email from the ASF dual-hosted git repository. jinwoo pushed a commit to branch support/2.0 in repository https://gitbox.apache.org/repos/asf/geode.git
commit 7362e23006778b77ec67d8391306cdab36c73485 Author: Jinwoo Hwang <[email protected]> AuthorDate: Wed Mar 11 09:13:43 2026 -0400 GEODE-10565: Jackson upgrade due to security vulnerabilities (#7990) * jackson upgrade * Update integration test resources for dependency classpath and bundled jars: remove byte-buddy, update snakeyaml to 2.3 * Fix integration test snapshots: remove snakeyaml-2.2, add logback jars * Fix integration test snapshot: remove incorrect logback entries --- boms/geode-all-bom/src/test/resources/expected-pom.xml | 10 +++++----- .../geode/gradle/plugins/DependencyConstraints.groovy | 4 ++-- .../src/integrationTest/resources/assembly_content.txt | 15 +++++++-------- .../src/integrationTest/resources/expected_jars.txt | 1 - .../resources/gfsh_dependency_classpath.txt | 15 +++++++-------- .../integrationTest/resources/dependency_classpath.txt | 15 +++++++-------- 6 files changed, 28 insertions(+), 32 deletions(-) diff --git a/boms/geode-all-bom/src/test/resources/expected-pom.xml b/boms/geode-all-bom/src/test/resources/expected-pom.xml index 1aed6be024..e2de17dfbb 100644 --- a/boms/geode-all-bom/src/test/resources/expected-pom.xml +++ b/boms/geode-all-bom/src/test/resources/expected-pom.xml @@ -470,27 +470,27 @@ <dependency> <groupId>com.fasterxml.jackson.core</groupId> <artifactId>jackson-annotations</artifactId> - <version>2.17.0</version> + <version>2.18.6</version> </dependency> <dependency> <groupId>com.fasterxml.jackson.core</groupId> <artifactId>jackson-core</artifactId> - <version>2.17.0</version> + <version>2.18.6</version> </dependency> <dependency> <groupId>com.fasterxml.jackson.core</groupId> <artifactId>jackson-databind</artifactId> - <version>2.17.0</version> + <version>2.18.6</version> </dependency> <dependency> <groupId>com.fasterxml.jackson.datatype</groupId> <artifactId>jackson-datatype-joda</artifactId> - <version>2.17.0</version> + <version>2.18.6</version> </dependency> <dependency> <groupId>com.fasterxml.jackson.datatype</groupId> <artifactId>jackson-datatype-jsr310</artifactId> - <version>2.17.0</version> + <version>2.18.6</version> </dependency> <dependency> <groupId>com.jayway.jsonpath</groupId> diff --git a/build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy b/build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy index ac814c526f..a90712d830 100644 --- a/build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy +++ b/build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy @@ -53,8 +53,8 @@ class DependencyConstraints { deps.put("slf4j-api.version", "2.0.17") deps.put("jakarta.transaction-api.version", "2.0.1") deps.put("jboss-modules.version", "1.11.0.Final") - deps.put("jackson.version", "2.17.0") - deps.put("jackson.databind.version", "2.17.0") + deps.put("jackson.version", "2.18.6") + deps.put("jackson.databind.version", "2.18.6") // Spring Framework 6.x Migration deps.put("springshell.version", "3.3.3") deps.put("springframework.version", "6.1.14") diff --git a/geode-assembly/src/integrationTest/resources/assembly_content.txt b/geode-assembly/src/integrationTest/resources/assembly_content.txt index f368dbfbf4..62a540f3d7 100644 --- a/geode-assembly/src/integrationTest/resources/assembly_content.txt +++ b/geode-assembly/src/integrationTest/resources/assembly_content.txt @@ -923,7 +923,6 @@ lib/antlr-runtime-3.5.2.jar lib/asm-9.8.jar lib/asm-commons-9.8.jar lib/asm-tree-9.8.jar -lib/byte-buddy-1.14.9.jar lib/classgraph-4.8.147.jar lib/classmate-1.5.1.jar lib/commons-beanutils-1.11.0.jar @@ -964,12 +963,12 @@ lib/httpclient5-5.4.4.jar lib/httpcore5-5.3.4.jar lib/httpcore5-h2-5.3.4.jar lib/istack-commons-runtime-4.1.1.jar -lib/jackson-annotations-2.17.0.jar -lib/jackson-core-2.17.0.jar -lib/jackson-databind-2.17.0.jar -lib/jackson-dataformat-yaml-2.17.0.jar -lib/jackson-datatype-joda-2.17.0.jar -lib/jackson-datatype-jsr310-2.17.0.jar +lib/jackson-annotations-2.18.6.jar +lib/jackson-core-2.18.6.jar +lib/jackson-databind-2.18.6.jar +lib/jackson-dataformat-yaml-2.18.6.jar +lib/jackson-datatype-joda-2.18.6.jar +lib/jackson-datatype-jsr310-2.18.6.jar lib/jakarta.activation-api-2.1.3.jar lib/jakarta.annotation-api-2.1.1.jar lib/jakarta.el-api-5.0.0.jar @@ -1042,7 +1041,7 @@ lib/shiro-crypto-hash-1.13.0.jar lib/shiro-event-1.13.0.jar lib/shiro-lang-1.13.0.jar lib/slf4j-api-2.0.17.jar -lib/snakeyaml-2.2.jar +lib/snakeyaml-2.3.jar lib/snappy-0.5.jar lib/spring-aop-6.1.14.jar lib/spring-beans-6.1.14.jar diff --git a/geode-assembly/src/integrationTest/resources/expected_jars.txt b/geode-assembly/src/integrationTest/resources/expected_jars.txt index 8402711e4e..cc35c17ab8 100644 --- a/geode-assembly/src/integrationTest/resources/expected_jars.txt +++ b/geode-assembly/src/integrationTest/resources/expected_jars.txt @@ -9,7 +9,6 @@ antlr-runtime asm asm-commons asm-tree -byte-buddy classgraph classmate commons-beanutils diff --git a/geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt b/geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt index 3597de43cb..05408cc999 100644 --- a/geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt +++ b/geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt @@ -21,12 +21,12 @@ spring-shell-starter-3.3.3.jar spring-web-6.1.14.jar commons-lang3-3.18.0.jar rmiio-2.1.2.jar -jackson-datatype-jsr310-2.17.0.jar -jackson-datatype-joda-2.17.0.jar -jackson-annotations-2.17.0.jar -jackson-core-2.17.0.jar -jackson-dataformat-yaml-2.17.0.jar -jackson-databind-2.17.0.jar +jackson-datatype-joda-2.18.6.jar +jackson-annotations-2.18.6.jar +jackson-dataformat-yaml-2.18.6.jar +jackson-core-2.18.6.jar +jackson-datatype-jsr310-2.18.6.jar +jackson-databind-2.18.6.jar swagger-annotations-2.2.22.jar jaxb-runtime-4.0.2.jar jaxb-core-4.0.2.jar @@ -113,12 +113,10 @@ jul-to-slf4j-2.0.16.jar jetty-jndi-12.0.27.jar jetty-util-12.0.27.jar slf4j-api-2.0.17.jar -byte-buddy-1.14.9.jar micrometer-observation-1.14.0.jar spring-jcl-6.1.14.jar micrometer-commons-1.14.0.jar LatencyUtils-2.0.3.jar -snakeyaml-2.2.jar reactor-core-3.6.10.jar jline-console-3.26.3.jar jline-builtins-3.26.3.jar @@ -127,6 +125,7 @@ jline-style-3.26.3.jar jline-terminal-3.26.3.jar ST4-4.3.3.jar txw2-4.0.2.jar +snakeyaml-2.3.jar asm-commons-9.8.jar asm-tree-9.8.jar asm-9.8.jar diff --git a/geode-server-all/src/integrationTest/resources/dependency_classpath.txt b/geode-server-all/src/integrationTest/resources/dependency_classpath.txt index b0e712fd87..6c5dea8561 100644 --- a/geode-server-all/src/integrationTest/resources/dependency_classpath.txt +++ b/geode-server-all/src/integrationTest/resources/dependency_classpath.txt @@ -19,12 +19,12 @@ geode-unsafe-0.0.0.jar geode-deployment-legacy-0.0.0.jar snappy-0.5.jar swagger-annotations-2.2.22.jar -jackson-datatype-jsr310-2.17.0.jar -jackson-annotations-2.17.0.jar -jackson-dataformat-yaml-2.17.0.jar -jackson-core-2.17.0.jar -jackson-datatype-joda-2.17.0.jar -jackson-databind-2.17.0.jar +jackson-datatype-jsr310-2.18.6.jar +jackson-annotations-2.18.6.jar +jackson-dataformat-yaml-2.18.6.jar +jackson-core-2.18.6.jar +jackson-datatype-joda-2.18.6.jar +jackson-databind-2.18.6.jar httpclient5-5.4.4.jar httpcore5-h2-5.3.4.jar httpcore5-5.3.4.jar @@ -116,8 +116,6 @@ slf4j-api-2.0.17.jar micrometer-observation-1.14.0.jar micrometer-commons-1.14.0.jar LatencyUtils-2.0.3.jar -byte-buddy-1.14.9.jar -snakeyaml-2.2.jar spring-jcl-6.1.14.jar asm-commons-9.8.jar asm-tree-9.8.jar @@ -130,6 +128,7 @@ jline-reader-3.26.3.jar jline-style-3.26.3.jar jline-terminal-3.26.3.jar ST4-4.3.3.jar +snakeyaml-2.3.jar jakarta.enterprise.lang-model-4.0.1.jar reactive-streams-1.0.4.jar jline-native-3.26.3.jar
