From 9f0af62f0e756faba5a08c496e7a343c48f85b2b Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Mon, 15 Jun 2026 14:58:34 +0000 Subject: [PATCH] fix: upgrade jackson-bom to 2.13.5 to remediate CVE-2022-42003 Override jackson-bom.version managed by Spring Boot 2.6.3 (which pins jackson-databind at the vulnerable 2.13.1) to 2.13.5, resolving the Denial of Service vulnerability in jackson-databind < 2.13.4.2 when UNWRAP_SINGLE_VALUE_ARRAYS is enabled. Closes #149 --- build.gradle | 2 ++ 1 file changed, 2 insertions(+) diff --git a/build.gradle b/build.gradle index 03c56f755..b389336d2 100644 --- a/build.gradle +++ b/build.gradle @@ -11,6 +11,8 @@ version = '0.0.1-SNAPSHOT' sourceCompatibility = '11' targetCompatibility = '11' +ext['jackson-bom.version'] = '2.13.5' + spotless { java { target project.fileTree(project.rootDir) {