[
https://issues.apache.org/jira/browse/TINKERPOP-2401?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17179705#comment-17179705
]
Stephen Mallette commented on TINKERPOP-2401:
---------------------------------------------
I seem to recall that we intended to keep 3.4.x on 2.9.10.x for some reason.
jackson has been releasing security patches on that line to match 2.10.x for
some time now with the most recent occurring last June with 2.9.10.5. Do you
happen to know if that note about the "non-active" branch was recently added?
Are there not going to be anymore security patches along 2.9.10.x?
> Upgrade Jackson-databind to 2.10.x
> ----------------------------------
>
> Key: TINKERPOP-2401
> URL: https://issues.apache.org/jira/browse/TINKERPOP-2401
> Project: TinkerPop
> Issue Type: Improvement
> Components: build-release
> Affects Versions: 3.4.8
> Reporter: Divij Vaidya
> Priority: Major
>
> Currently TinkerPop uses 2.9.10.5 version which has known [security
> vulnerabilities|https://www.cvedetails.com/vulnerability-list/vendor_id-15866/product_id-42991/version_id-353769/Fasterxml-Jackson-databind-2.9.10.html].
> As per guidance from Jackson-databind, 2.9.x is a non-active branch. To quote
> from https://github.com/FasterXML/jackson
> {quote}2.9: non-active branch from which micro-patch releases (like 2.9.10.5)
> MAY be made for individual components (jackson-databind usually){quote}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
