Skip to content

CHK-13321: Upgrade jackson-bom to 3.1.1 for GHSA-2m67-wjpj-xhg9#347

Merged
pboos merged 1 commit intomainfrom
CHK-13321-fix-jackson-core-cve
Apr 10, 2026
Merged

CHK-13321: Upgrade jackson-bom to 3.1.1 for GHSA-2m67-wjpj-xhg9#347
pboos merged 1 commit intomainfrom
CHK-13321-fix-jackson-core-cve

Conversation

@pboos
Copy link
Copy Markdown
Contributor

@pboos pboos commented Apr 10, 2026

Summary

  • Fixes security vulnerability GHSA-2m67-wjpj-xhg9 in tools.jackson.core:jackson-core by overriding the Jackson BOM version to 3.1.1
  • The existing strictly constraint in openapi-validation-core was being overridden by the Spring Boot dependency management plugin; this adds ext['jackson-bom.version'] = '3.1.1' to the affected example projects

Vulnerability Details

  • GHSA: GHSA-2m67-wjpj-xhg9
  • Severity: HIGH (CVSS 7.5)
  • Vulnerable Range: >= 3.0.0, <= 3.1.0
  • Patched Version: 3.1.1
  • Package: tools.jackson.core:jackson-core

Changes

  • Added ext['jackson-bom.version'] = '3.1.1' to examples/example-spring-boot-starter-web/build.gradle
  • Added ext['jackson-bom.version'] = '3.1.1' to examples/example-spring-boot-starter-webflux/build.gradle

Testing

  • ✅ Verified tools.jackson.core:jackson-core resolves to 3.1.1 in both example projects
  • ✅ All tests passing locally

References

🤖 Generated with Claude Code

@pboos @claude
CHK-13321: override jackson-bom version to 3.1.1 for GHSA-2m67-wjpj-xhg9
fda82d3 


The existing constraint in openapi-validation-core was not sufficient
because the Spring Boot dependency management plugin overrides strict
version constraints with the BOM-managed version (3.1.0). This adds
ext['jackson-bom.version'] = '3.1.1' to the example projects that use
the spring-dependency-management plugin, ensuring jackson-core resolves
to the patched 3.1.1 version.

Closes CHK-13321

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@pboos pboos marked this pull request as ready for review April 10, 2026 10:06
@pboos pboos requested a review from a team as a code owner April 10, 2026 10:06
@pboos pboos requested a review from anacotirlea April 10, 2026 10:06
@pboos pboos merged commit 20eeeef into main Apr 10, 2026
4 checks passed
@pboos pboos deleted the CHK-13321-fix-jackson-core-cve branch April 10, 2026 10:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@huguenin huguenin huguenin approved these changes

@anacotirlea anacotirlea Awaiting requested review from anacotirlea anacotirlea is a code owner automatically assigned from getyourguide/chk

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pboos @huguenin