Skip to content

fix(deps): bump jackson-databind 2.16.1 -> 2.18.8#951

Open
gummy789j wants to merge 1 commit into
release_v4.9.8from
fix/bump-jackson-2.18.8
Open

fix(deps): bump jackson-databind 2.16.1 -> 2.18.8#951
gummy789j wants to merge 1 commit into
release_v4.9.8from
fix/bump-jackson-2.18.8

Conversation

@gummy789j

Copy link
Copy Markdown
Collaborator

Addresses CVE-2026-54512/54513/54514/54515 (PolymorphicTypeValidator bypass in jackson-databind). Fixed on the 2.x line in 2.18.8.

Addresses CVE-2026-54512/54513/54514/54515 (PolymorphicTypeValidator
bypass in jackson-databind). Fixed on the 2.x line in 2.18.8.

Kotlin stdlib (CVE-2026-53914) intentionally left at 1.9.10: it is a
build-time-only issue reached transitively via okhttp, and the patched
stable release (2.4.20) is not yet published (only 2.4.20-Beta1).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant