Skip to content

fix(deps): jackson-databind 2.21.3 -> 2.21.5 (7 advisories) [0.8.3]#247

Merged
Skobeltsyn merged 2 commits into
mainfrom
fix/jackson-databind-cves-0.8.3
Jul 9, 2026
Merged

fix(deps): jackson-databind 2.21.3 -> 2.21.5 (7 advisories) [0.8.3]#247
Skobeltsyn merged 2 commits into
mainfrom
fix/jackson-databind-cves-0.8.3

Conversation

@Skobeltsyn

Copy link
Copy Markdown
Contributor

Forces the transitively-bundled jackson-databind (via langchain4j-core in agents-kt-rag-langchain4j) and the coupled jackson-core to 2.21.5, clearing all 7 open Dependabot advisories on the 2.21.x line.

  • 2.21.5, not 2.21.4 — the InetSocketAddress eager-DNS SSRF (GHSA-5jmj-h7xm-6q6v) is fixed only in 2.21.5.
  • No source or API change; patch bump within the same minor line.
  • Lockfile + gradle/verification-metadata.xml regenerated for jackson-core/jackson-databind/jackson-bom 2.21.5.
  • CHANGELOG entry under [Unreleased]slated for 0.8.3 (kept out of the 0.8.2 release release(0.8.2): standards & trust hardening #244).

🤖 Generated with Claude Code

Skobeltsyn and others added 2 commits July 9, 2026 18:02
jackson-databind arrives transitively via langchain4j-core in
agents-kt-rag-langchain4j (not a direct dependency of any module).
Dependabot flagged 7 open advisories on the 2.21.x line; forcing
jackson-databind + jackson-core to 2.21.5 in the module's existing
resolutionStrategy.force(...) clears all of them. 2.21.5 (not 2.21.4)
is required because the InetSocketAddress SSRF (GHSA-5jmj-h7xm-6q6v) is
fixed only in 2.21.5.

Lockfile + gradle/verification-metadata.xml regenerated for
jackson-core/jackson-databind/jackson-bom 2.21.5. No source/API change.
Slated for 0.8.3 (CHANGELOG entry under [Unreleased]).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@Skobeltsyn Skobeltsyn merged commit cab6df1 into main Jul 9, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant