From c3e54dfdcca2db5959316ab63dd285bbfb89dab0 Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Mon, 15 Jun 2026 15:26:21 +0000 Subject: [PATCH] fix: upgrade jackson-databind to 2.13.5 to remediate CVE-2022-42003 Override jackson-bom.version to 2.13.5 in build.gradle, resolving jackson-databind from the vulnerable 2.13.1 to 2.13.5 which includes the fix for CVE-2022-42003 (Denial of Service via deeply nested objects when UNWRAP_SINGLE_VALUE_ARRAYS is enabled). Closes #152 --- build.gradle | 2 ++ 1 file changed, 2 insertions(+) diff --git a/build.gradle b/build.gradle index 03c56f755..b389336d2 100644 --- a/build.gradle +++ b/build.gradle @@ -11,6 +11,8 @@ version = '0.0.1-SNAPSHOT' sourceCompatibility = '11' targetCompatibility = '11' +ext['jackson-bom.version'] = '2.13.5' + spotless { java { target project.fileTree(project.rootDir) {