Skip to content

fix(deps): bump jackson-databind 2.16.1 -> 2.18.8#951

Merged
gummy789j merged 1 commit into
release_v4.9.8from
fix/bump-jackson-2.18.8
Jul 15, 2026
Merged

fix(deps): bump jackson-databind 2.16.1 -> 2.18.8#951
gummy789j merged 1 commit into
release_v4.9.8from
fix/bump-jackson-2.18.8

Conversation

@gummy789j

Copy link
Copy Markdown
Collaborator

Addresses CVE-2026-54512/54513/54514/54515 (PolymorphicTypeValidator bypass in jackson-databind). Fixed on the 2.x line in 2.18.8.

Addresses CVE-2026-54512/54513/54514/54515 (PolymorphicTypeValidator
bypass in jackson-databind). Fixed on the 2.x line in 2.18.8.

Kotlin stdlib (CVE-2026-53914) intentionally left at 1.9.10: it is a
build-time-only issue reached transitively via okhttp, and the patched
stable release (2.4.20) is not yet published (only 2.4.20-Beta1).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@gummy789j
gummy789j merged commit d5ebade into release_v4.9.8 Jul 15, 2026
@gummy789j gummy789j mentioned this pull request Jul 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants