Update jackson dependencies due to CVE-2020-36518
brunchboy opened this issue · 1 comments
brunchboy commented
We are having to update our own dependencies because of a vulnerability in jackson-databind and this project is one of our direct dependencies which led to it being included in the first place, so you may want to update your jackson versions as well.
joschi commented
Dropwizard Metrics 4.2.x is already using Jackson 2.12.7 which is not affected by this vulnerability.
- https://github.com/dropwizard/metrics/blob/v4.2.10/metrics-json/pom.xml#L20
- https://github.com/dropwizard/metrics/blob/v4.2.10/metrics-servlets/pom.xml#L23
- https://github.com/dropwizard/metrics/blob/v4.2.10/metrics-jakarta-servlets/pom.xml#L23
We won't upgrade the Jackson version in Dropwizard Metrics 4.1.x, but you can override the version of Jackson being used in your project by adding the respective artifacts into the <dependencies> or <dependencyManagement> section of your POM or the equivalents of your build system.