[Snyk] Security upgrade com.fasterxml.jackson.core:jackson-databind from 2.9.3 to 2.18.6

[philvarner-snyk]

Snyk has created this PR to fix 1 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

• pom.xml

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score	Upgrade
	Allocation of Resources Without Limits or Throttling SNYK-JAVA-COMFASTERXMLJACKSONCORE-15365924	170	com.fasterxml.jackson.core:jackson-databind: 2.9.3 -> 2.18.6 No Path Found Proof of Concept

Breaking Change Risk

Notice: This assessment is enhanced by AI.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Allocation of Resources Without Limits or Throttling

[philvarner-snyk]

This upgrade of jackson-databind from version 2.9.3 to 2.18.6 spans multiple minor versions and introduces several significant changes, including a Java version requirement update and new processing limits that could impact runtime behavior.

Key Changes:

• Java Version Requirement: As of version 2.13, jackson-databind requires Java 8 or higher. The underlying jackson-core also moved to a Java 8 baseline in version 2.14.
• Processing Limits (DoS Protection): Version 2.15 introduced processing limits to prevent Denial-of-Service (DoS) attacks. This includes default limits on maximum String value length (initially 5 million characters, later increased), number value length, and document nesting depth. Payloads exceeding these limits will throw a StreamConstraintsException.
• Source-Breaking API Change: In version 2.12, a checked JsonProcessingException was removed from the signature of ObjectMapper#treeToValue(). Code that was explicitly catching this exception may no longer compile.
• Behavioral Changes:
  • Date/Time Serialization: The default serialization for java.util.Date and java.util.Calendar was changed in v2.11 to include a colon in the timezone offset (e.g., +00:00).
  • Annotation Precedence: In v2.14, @JsonIgnore was given precedence over @JsonProperty in cases of conflicting annotations.
  • Type-Checking: Stricter compile-time checks for TypeReference were introduced in v2.10, which may cause code that previously compiled to fail.

Recommendation:

• Verify that your project is running on Java 8 or newer.
• Test your application with large JSON payloads to ensure they do not exceed the new default processing limits. If they do, you will need to configure a custom StreamReadConstraints on your JsonFactory.
• Review code that uses ObjectMapper#treeToValue() to ensure error handling is still correct.
• Validate that changes to date serialization and annotation precedence do not negatively impact your application's logic.

Source: Jackson Release Notes

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[philvarner-snyk]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.