[Snyk] Security upgrade com.fasterxml.jackson.core:jackson-databind from 2.13.4.2 to 2.18.8

[josephggd]

Snyk has created this PR to fix 1 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

• pom.xml

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score	Upgrade
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-17440598	773	com.fasterxml.jackson.core:jackson-databind: 2.13.4.2 -> 2.18.8 No Path Found Proof of Concept

Breaking Change Risk

Notice: This assessment is enhanced by AI.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

[josephggd]

This upgrade from Jackson Databind 2.13.4.2 to 2.18.8 is a significant minor version jump that introduces several behavioral changes and new features. While there are no major API removals that would cause immediate compilation failure, the subtle changes in parsing, configuration defaults, and internal logic warrant careful testing.

Key Changes Across Versions:

• Jackson 2.14:

  • The precedence for conflicting annotations has changed: @JsonIgnore now wins over @JsonProperty, which could alter serialization output.
  • JsonNode.with() and JsonNode.withArray() now interpret leading slashes as JsonPointer expressions.

• Jackson 2.15:

  • New default processing limits have been introduced to prevent DoS attacks. This includes a maximum length for String values (1 million characters) and numeric tokens (1000 characters), which could cause exceptions for applications processing very large values.

• Jackson 2.16:

  • The default for StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION has been changed to false, which may affect error reporting logic that relies on source location details.

• Jackson 2.17:

  • Parsing for numbers from strings has become stricter. For example, a string with a leading zero like "07" will no longer be coerced to a number for Enum indexes.

• Jackson 2.18:

  • A major internal rewrite of the POJO property introspection mechanism was completed. While this fixes many bugs, it carries a risk of subtle behavioral changes in edge cases.
  • Support for Kotlin 1.7.x has been dropped.

Recommendation:

Given the number of changes, a Medium risk is assigned. It is critical to perform thorough regression testing on your application's serialization and deserialization logic, paying close attention to error handling, edge cases with large values, and objects with conflicting annotations.

Source: Jackson Project Wiki on GitHub

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.