fix(deps): add constraint for Jackson Core 3.x to address GHSA-2m67-wjpj-xhg9

ursulean · claude · ursulean · commit b1932a3573c4 · 2026-04-09T11:46:52.000+02:00
Add dependency constraint to ensure Jackson Core 3.x uses version 3.1.1 or later if pulled in as transitive dependency. This fixes a high severity vulnerability where Jackson Core 3.0.0-3.1.0 does not consistently enforce maxDocumentLength constraint, which could allow DoS attacks. Resolves dependabot alert #41 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
diff --git a/openapi-validation-core/build.gradle b/openapi-validation-core/build.gradle
@@ -13,6 +13,12 @@ dependencies {
         implementation('org.mozilla:rhino:1.9.0') {
             because 'CVE-2025-66453: Rhino before 1.9.0 has high CPU usage and potential DoS when passing specific numbers to toFixed() function. See https://github.com/mozilla/rhino/security/advisories/GHSA-3w8q-xq97-5j7x'
         }
+        implementation('tools.jackson.core:jackson-core') {
+            version {
+                strictly '[3.1.1,)'
+            }
+            because 'GHSA-2m67-wjpj-xhg9: Jackson Core 3.0.0-3.1.0 does not consistently enforce maxDocumentLength constraint, allowing DoS attacks. See https://github.com/getyourguide/openapi-validation-java/security/dependabot/41'
+        }
 //        implementation('org.yaml:snakeyaml:1.33') {
 //            because 'Vulnerability in 1.33 is not yet fixed. See: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in' +
 //                    'https://devhub.checkmarx.com/cve-details/CVE-2022-41854/' +
