From 73004a92e046ea3a137a19efd556bd207a8f261b Mon Sep 17 00:00:00 2001 From: Steven Lin Date: Tue, 7 Jul 2026 16:42:34 +0800 Subject: [PATCH] fix(deps): bump jackson-databind 2.16.1 -> 2.18.8 Addresses CVE-2026-54512/54513/54514/54515 (PolymorphicTypeValidator bypass in jackson-databind). Fixed on the 2.x line in 2.18.8. Kotlin stdlib (CVE-2026-53914) intentionally left at 1.9.10: it is a build-time-only issue reached transitively via okhttp, and the patched stable release (2.4.20) is not yet published (only 2.4.20-Beta1). Co-Authored-By: Claude Opus 4.8 (1M context) --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index c2aadba5c..b6cb8f48c 100644 --- a/build.gradle +++ b/build.gradle @@ -81,7 +81,7 @@ dependencies { implementation group: 'com.typesafe', name: 'config', version: '1.3.2' implementation group: 'org.apache.commons', name: 'commons-lang3', version: '3.14.0' implementation group: 'com.alibaba', name: 'fastjson', version: '1.2.83' - implementation group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: '2.16.1' + implementation group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: '2.18.8' compileOnly 'org.projectlombok:lombok:1.18.24' annotationProcessor 'org.projectlombok:lombok:1.18.24'