[
https://issues.apache.org/jira/browse/TINKERPOP-2401?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17185318#comment-17185318
]
Stephen Mallette commented on TINKERPOP-2401:
---------------------------------------------
Jackson seems to still be releasing on 2.9.10.x - I just bumped to 2.9.10.6 on
3.4-dev:
https://github.com/apache/tinkerpop/commit/aa723273044e1501be13bffb2d3377ac70c950f7
Looks like we went to 2.11.x on master which I seem to recall required some
breaking changes. Before that move on master we did the move to 2.10.x on
TINKERPOP-2356 which seems relatively easy to backport. I can't find any
explanation as to why we wanted to stay on 2.9.x on 3.4-dev so perhaps we can
go forward with this change. Going to give it a bit more time to see if any
reason pops into my head though....
> Upgrade Jackson-databind to 2.10.x
> ----------------------------------
>
> Key: TINKERPOP-2401
> URL: https://issues.apache.org/jira/browse/TINKERPOP-2401
> Project: TinkerPop
> Issue Type: Improvement
> Components: build-release
> Affects Versions: 3.4.8
> Reporter: Divij Vaidya
> Priority: Major
>
> Currently TinkerPop uses 2.9.10.5 version which has known [security
> vulnerabilities|https://www.cvedetails.com/vulnerability-list/vendor_id-15866/product_id-42991/version_id-353769/Fasterxml-Jackson-databind-2.9.10.html].
> As per guidance from Jackson-databind, 2.9.x is a non-active branch. To quote
> from https://github.com/FasterXML/jackson
> {quote}2.9: non-active branch from which micro-patch releases (like 2.9.10.5)
> MAY be made for individual components (jackson-databind usually){quote}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
