Skip to content

Commit

Permalink
Explain how many security issues the Databind library has, and why yo…
Browse files Browse the repository at this point in the history
…u cnanot rely on the version supplied as a transitive dependency
  • Loading branch information
vladmihalcea committed Aug 2, 2022
1 parent 697c7a6 commit 32a0b00
Showing 1 changed file with 6 additions and 2 deletions.
8 changes: 6 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -66,9 +66,13 @@ The Hibernate Types project defines a list of optional dependencies that you wil

The reason why all these dependencies are optional, like Guava, Jackson, or PostgreSQL JDBC Driver, is because not all projects may need them.

More, the dependency version is extremely important because if you forget to upgrade a certain dependency, your application could be at risk in case the old dependency version suffers from security issues that have been recently discovered.
More, the dependency version is extremely important because, from time to time, security issues may be discovered that get fixed in newer versions.

For all these reasons, it is your responsibility to define explicitly all the dependencies that you are planning to use.
> So, relying on this library to supply you with the dependency versions is a very dangerous thing to do.
>
> For instance, there have been [65 security issues discovered in the Jackson Data Bind library](https://www.cvedetails.com/vulnerability-list/vendor_id-15866/product_id-42991/Fasterxml-Jackson-databind.html) this project is heavily relying on.
>
> To avoid risking security issues, you need to take the responsibility of constantly upgrading all the dependencies that you are using along with the Hibernate Types library.
##### JSON Optional Maven Dependencies

Expand Down

0 comments on commit 32a0b00

Please sign in to comment.