Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This was triggered by an alert from Github: https://github.com/zalando-nakadi/nakadi-producer-spring-boot-starter/network/alert/nakadi-producer/pom.xml/com.fasterxml.jackson.core:jackson-databind/open (As I'm not sure how useful this URL will be after I resolve the alert, here the gist of its content + my interpretation.) com.fasterxml.jackson.core:jackson-databind was at version 2.8.8, which is affected by a bunch of remote code execution vulnerabilities: - CVE-2017-17485 - CVE-2018-7489 - CVE-2017-7525 Versions from 2.8.11 or higher are not affected. As the dependency version suggested by our parent pom (spring-boot-starter-parent) is 2.9.6, we can just remove the version number here. (I don't think the use of Jackson in this library is vulnerable, as we are not parsing, only creating JSON, but it is better to not carry broken dependency versions into any application.) While doing this, I also removed some other version numbers in our pom.xml which have the same or newer versions in the parent.
- Loading branch information
