From 25a6562392df3a8ee24b77ccf1da9e21c6e33009 Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Mon, 15 Jun 2026 14:58:13 +0000 Subject: [PATCH] fix(security): upgrade jackson-databind to 2.13.5 to address CVE-2022-42003 Override jackson-bom.version in build.gradle to pull in jackson-databind 2.13.5, which resolves the Denial of Service vulnerability (CVSS 7.5) present in 2.13.1 when UNWRAP_SINGLE_VALUE_ARRAYS is enabled. Closes #149 --- build.gradle | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/build.gradle b/build.gradle index 03c56f755..1a46d7ef3 100644 --- a/build.gradle +++ b/build.gradle @@ -11,6 +11,10 @@ version = '0.0.1-SNAPSHOT' sourceCompatibility = '11' targetCompatibility = '11' +ext { + set('jackson-bom.version', '2.13.5') +} + spotless { java { target project.fileTree(project.rootDir) {