afs commented on issue #609: Clean javadoc URL: https://github.com/apache/jena/pull/609#issuecomment-533829343 Thanks for pointing that out. It's been bumpy for upgrades these last few months. We have a upstream dependency for Jackson for jsonld-java. I don't think any of Jena code directly uses the Jackson code. Now, Jena and jsonld-java don't actually use the part of databind that has been under attack, but it is easy to upgrade so if jena uses use jackson directly, they get the fixes. jsonld-java is currently depending on 2.9.9 (core) and 2.9.9.2 (databind). Jena takes control of the exact version because of the releases for CVE's, giving us fine grained control (2.9.9.x) without needing to wait for jsonld-java to release, assuming x.x.x.+1 is fix-only. In my $job, some customers scan jars and match against the CVE database. I'm sure they aren't the only ones. It is easier to upgrade that explain why the CVE does not affect the code.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
