(beam) branch master updated: Bump jackson_version - Fix GHSA-72hv-8253-57qq (#37969)

Fri, 15 May 2026 13:16:01 -0700 

This is an automated email from the ASF dual-hosted git repository.

stankiewicz pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/beam.git


The following commit(s) were added to refs/heads/master by this push:
     new 6ae46e3c2d4 Bump jackson_version - Fix GHSA-72hv-8253-57qq  (#37969)
6ae46e3c2d4 is described below

commit 6ae46e3c2d46cb9a03308e2f2c183fd36a7cecf0
Author: RadosÅ‚aw Stankiewicz <[email protected]>
AuthorDate: Fri May 15 22:13:50 2026 +0200

    Bump jackson_version - Fix GHSA-72hv-8253-57qq  (#37969)
    
    * Bump jackson_version - Fix GHSA-72hv-8253-57qq
    
    jackson-core: Number Length Constraint Bypass in Async Parser Leads to 
Potential DoS Condition
---
 buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy | 2 +-
 sdks/java/container/license_scripts/dep_urls_java.yaml                  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git 
a/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy 
b/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy
index 4edcb0b84d6..92e9c351945 100644
--- a/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy
+++ b/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy
@@ -623,7 +623,7 @@ class BeamModulePlugin implements Plugin<Project> {
     def httpclient_version = "4.5.13"
     def httpcore_version = "4.4.14"
     def iceberg_bqms_catalog_version = "1.6.1-1.0.1"
-    def jackson_version = "2.15.4"
+    def jackson_version = "2.18.6"
     def jaxb_api_version = "2.3.3"
     def jsr305_version = "3.0.2"
     def everit_json_version = "1.14.2"
diff --git a/sdks/java/container/license_scripts/dep_urls_java.yaml 
b/sdks/java/container/license_scripts/dep_urls_java.yaml
index 725e70f227b..29deb716504 100644
--- a/sdks/java/container/license_scripts/dep_urls_java.yaml
+++ b/sdks/java/container/license_scripts/dep_urls_java.yaml
@@ -58,7 +58,7 @@ xz:
   '1.5': # The original repo is down. This license is taken from 
https://tukaani.org/xz/java.html.
     license: "file://{}/xz/COPYING"
 jackson-bom:
-  '2.15.4':
+  '2.18.6':
     license: 
"https://raw.githubusercontent.com/FasterXML/jackson-bom/master/LICENSE";
     type: "Apache License 2.0"
 org.eclipse.jgit:

Reply via email to