From 5873938eb8e7df5bcb850bf45440e759d59b8661 Mon Sep 17 00:00:00 2001 From: Oleksandr Shevchenko Date: Wed, 24 Jun 2026 13:53:47 +0300 Subject: [PATCH] Bump shaded jackson 2.18.7 to 2.18.8 to fix CVE-2026-54512 and CVE-2026-54513 in uber jar jackson-databind/core/annotations are relocated under com.databricks.internal.fasterxml in the uber jar and cannot be overridden by consumers via Maven dependency management, so the bump must happen at the source. 2.18.8 is a patch-level upgrade within 2.18.x (no API changes) that remediates the PolymorphicTypeValidator bypass CVEs. Signed-off-by: Oleksandr Shevchenko --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 16ae87520..46c97e580 100644 --- a/pom.xml +++ b/pom.xml @@ -75,7 +75,7 @@ 5.3.6 0.23.0 2.0.13 - 2.18.7 + 2.18.8 2.13.2 33.0.0-jre 3.0.1