-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade jackson-databind to 2.12.7 #14770
Upgrade jackson-databind to 2.12.7 #14770
Conversation
} else if (m instanceof AnnotatedMethod) { | ||
genericType = ((AnnotatedMethod) m).getAnnotated().getGenericReturnType(); | ||
} else if (m instanceof AnnotatedParameter) { | ||
genericType = ((AnnotatedParameter) m).getOwner().getGenericParameterType(((AnnotatedParameter) m).getIndex()); |
Check notice
Code scanning / CodeQL
Deprecated method or constructor invocation Note
AnnotatedWithParams.getGenericParameterType
FYI anyone reading this PR, we cannot upgrade to a version beyond 2.12 because of this change FasterXML/jackson-jaxrs-providers#134 |
The current version of
jackson-databind
is flagged for vulnerabilities CVE-2020-28491 (Although cbor format is not used in druid), CVE-2020-36518 (Seems genuine as deeply nested json in can cause resource exhaustion). Updating the dependency to the latest version 2.12.7 to fix these vulnerabilities.Now that Hadoop2 is being removed, this upgrade is deemed to be safely made.