RD-9188 upgrade jackson-dataformat-yaml #21
Conversation
project/Dependencies.scala
Outdated
| @@ -56,18 +56,19 @@ object Dependencies { | |||
|
|
|||
| val guava = "com.google.guava" % "guava" % "31.1-jre" | |||
|
|
|||
| val jacksonDepsVersion = "2.14.2" | |||
There was a problem hiding this comment.
We used to place the versions separately but then Intellij stopped detecting updates. That's why we have it explicit per dependency per line instead of placing the number separately. (It's also more confusing because you updated YAML module of Jackson only.)
I think the correct solution is to leave the numbers per line, but actually update them all to 2.15.2, so that we move all of Jackson forward.
That said, this must be validated against scala2 and repose. That's because in the past, the latest Jackson version caused issues downstream in Repose. (@gkiomour might know the details.) Now they are more split, so perhaps easier. But whatever version we define here affects Repose because Jackson is part of the Snapi clients, and Repose itself depends on the clients, which then bring along all of Jackson.
The current version is causing a transitive vuln issue (check JIRA for more details)