Bump Jackson to 2.12.6.20220326 (CVE-2020-36518) #12411
Conversation
jihoonson
changed the title
| @@ -85,7 +85,7 @@ public void testKafkaEmitter() throws InterruptedException | |||
| final KafkaProducer<String, String> producer = mock(KafkaProducer.class); | |||
| final KafkaEmitter kafkaEmitter = new KafkaEmitter( | |||
| new KafkaEmitterConfig("", "metrics", "alerts", requestTopic, "test-cluster", null), | |||
| new ObjectMapper() | |||
| new DefaultObjectMapper() | |||
There was a problem hiding this comment.
any particular reason this change is required?
|
@jihoonson it looks like the changes you made to tests are due to FasterXML/jackson-databind#1852 Are there any other 2.11 or 2.12 behavior changes we might have to worry about? |
| @@ -58,9 +58,9 @@ public Object findInjectableValueId(AnnotatedMember m) | |||
| if (m instanceof AnnotatedMethod) { | |||
| throw new IAE("Annotated methods don't work very well yet..."); | |||
| } | |||
| return Key.get(m.getGenericType()); | |||
| return Key.get(m.getRawType()); | |||
There was a problem hiding this comment.
This change confuses me. The javadoc of getGenericType says that getType should be used to replace it. But according to the CI test result of #12373 , using of getType here seems that it does not work correctly.
|
This pull request has been marked as stale due to 60 days of inactivity. |
|
closing since this was addressed as part of #14770 |
Description
Another attempt to address https://nvd.nist.gov/vuln/detail/CVE-2020-36518. This PR bumps Jackson to
2.12.6.20220326which has the fix for the CVE (FasterXML/jackson-databind#2816). It seems not possible to upgrade Jackson to 2.13.2 with no change because of FasterXML/jackson-jaxrs-providers#134.This PR has: