Skip to content

Bump jackson.version from 2.18.8 to 2.22.0#1485

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/jackson.version-2.22
Open

Bump jackson.version from 2.18.8 to 2.22.0#1485
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/jackson.version-2.22

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 9, 2026

Copy link
Copy Markdown
Contributor

Bumps jackson.version from 2.18.8 to 2.22.0.
Updates com.fasterxml.jackson.core:jackson-databind from 2.18.8 to 2.22.0

Commits

Updates com.fasterxml.jackson.core:jackson-annotations from 2.18.8 to 2.22.0

Updates com.fasterxml.jackson.core:jackson-core from 2.18.8 to 2.22.0

Commits
  • d763562 [maven-release-plugin] prepare release jackson-core-2.22.0
  • e5c69fe Re-do 2.22.0 release
  • 0ba6a36 Bump version after release
  • b106011 [maven-release-plugin] prepare for next development iteration
  • 18a7fe4 [maven-release-plugin] prepare release jackson-core-2.22.0
  • 503a14f Re-do 2.22.0 release
  • ab95bc0 ...
  • 0a4b8de Post-release dep version bump
  • 719a42f [maven-release-plugin] prepare for next development iteration
  • 9248848 [maven-release-plugin] prepare release jackson-core-2.22.0
  • Additional commits viewable in compare view

@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 9, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jun 9, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: maven. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@o-shevchenko

Copy link
Copy Markdown
Contributor

Heads-up: these shaded jackson CVEs (CVE-2026-54512 / CVE-2026-54513, PolymorphicTypeValidator bypass) can be remediated with a minimal patch-level bump to 2.18.8 within the current 2.18.x line — opened as #1507 — which avoids the larger 2.18 → 2.22 minor jump here and is faster/lower-risk to review.

This PR (→ 2.22) is still valuable as the forward-looking upgrade. Cross-linking so maintainers can pick whichever path they prefer; happy to close #1507 if you'd rather land 2.22 directly.

@dependabot dependabot Bot changed the title Bump jackson.version from 2.18.7 to 2.22 Bump jackson.version from 2.18.7 to 2.22.0 Jun 26, 2026
@dependabot dependabot Bot force-pushed the dependabot/maven/jackson.version-2.22 branch from 2e15f8e to 285a55a Compare June 26, 2026 07:59
vikrantpuppala added a commit that referenced this pull request Jun 29, 2026
…26-54513 in uber jar (#1507)

## Summary
- Bumps shaded `jackson.version` 2.18.7 → 2.18.8 to fix CVE-2026-54512
and CVE-2026-54513 (`PolymorphicTypeValidator` bypass) bundled in the
uber jar.
- `jackson-databind`/`jackson-core`/`jackson-annotations` are relocated
under `com.databricks.internal.fasterxml` in the uber jar, so consumers
cannot override them via Maven dependency management — the bump must
happen at the source.
- Patch-level upgrade within the 2.18.x line; no API changes.

## Relationship to #1485
Dependabot #1485 bumps the same property to **2.22** (a minor-version
upgrade, currently open). This PR is the **minimal security patch**
(2.18.8) that targets only CVE-2026-54512 / CVE-2026-54513, for a
low-risk, fast-to-review fix. Maintainers can take whichever they
prefer.

## Test plan
- [x] `mvn -pl assembly-uber -am package -DskipTests` builds clean
- [x] uber jar bundles relocated `jackson-databind` 2.18.8 (verified via
`META-INF/.../pom.properties` and class paths under
`com/databricks/internal/fasterxml/jackson/databind`)
- [ ] CI unit tests pass

NO_CHANGELOG=true

Signed-off-by: Oleksandr Shevchenko <oleksandr.shevchenko@datarobot.com>
Co-authored-by: Vikrant Puppala <vikrant.puppala@databricks.com>
Bumps `jackson.version` from 2.18.8 to 2.22.0.

Updates `com.fasterxml.jackson.core:jackson-databind` from 2.18.8 to 2.22.0
- [Commits](https://github.com/FasterXML/jackson/commits)

Updates `com.fasterxml.jackson.core:jackson-annotations` from 2.18.8 to 2.22.0

Updates `com.fasterxml.jackson.core:jackson-core` from 2.18.8 to 2.22.0
- [Commits](FasterXML/jackson-core@jackson-core-2.18.8...jackson-core-2.22.0)

---
updated-dependencies:
- dependency-name: com.fasterxml.jackson.core:jackson-annotations
  dependency-version: '2.22'
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: com.fasterxml.jackson.core:jackson-core
  dependency-version: '2.22'
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: com.fasterxml.jackson.core:jackson-databind
  dependency-version: '2.22'
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title Bump jackson.version from 2.18.7 to 2.22.0 Bump jackson.version from 2.18.8 to 2.22.0 Jun 29, 2026
@dependabot dependabot Bot force-pushed the dependabot/maven/jackson.version-2.22 branch from 285a55a to 0ccbd59 Compare June 29, 2026 16:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant