Skip to content

Jackson upgrade to 2.18.8#11917

Open
kosmaty wants to merge 3 commits into
testcontainers:mainfrom
kosmaty:jackson-upgrade-to-2.18.8
Open

Jackson upgrade to 2.18.8#11917
kosmaty wants to merge 3 commits into
testcontainers:mainfrom
kosmaty:jackson-upgrade-to-2.18.8

Conversation

@kosmaty

@kosmaty kosmaty commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

jackson-databind 2.18.4 has 2 high-scored vulnerabilities: https://www.cve.org/CVERecord?id=CVE-2026-54512
https://www.cve.org/CVERecord?id=CVE-2026-54513

Due to shadowing of jackson-databind in testcontainers, some scanners (Sonatype Firewall in my case) flags testcontainers as having the same vulnerabilities and blocks its usage.

In version 2.18.8 these vulnerabilities have been fixed, so upgrading to that version will also remove these vulnerabilities from testcontainers.

This fixes #11912

I'm aware of the following paragraph:

Dependency Upgrades:
Please do not open a pull request to update only a version dependency. Existing process will perform
the upgrade every week. However, if the upgrade involves more changes (changes for deprecated API) then
your pull request is very welcome.

But this dependency doesn't seem to be upgraded automatically. It hasn't been updated for ~6 months.

jackson-databind 2.18.4 has 2 high-scored vulnerabilities:
https://www.cve.org/CVERecord?id=CVE-2026-54512
https://www.cve.org/CVERecord?id=CVE-2026-54513

Due to shadowing of jackson-databind in testcontainers, some scanners (Sonatype Firewall in my case) flags testcontainers as having the same vulnerabilities and blocks its usage.

In version 2.18.8 these vulnerabilities have been fixed, so upgrading to that version will also remove these vulnerabilities from testcontainers.
@kosmaty kosmaty marked this pull request as ready for review July 7, 2026 08:54
@kosmaty kosmaty requested a review from a team as a code owner July 7, 2026 08:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Bug]: jackson-databind needs to be upgraded due to high vulnerability

1 participant