Skip to content

CHK-13321: Force jackson-core 3.1.1 across all Gradle configurations#348

Merged
pboos merged 2 commits intomainfrom
CHK-13321-fix-jackson-core-all-configs
Apr 10, 2026
Merged

CHK-13321: Force jackson-core 3.1.1 across all Gradle configurations#348
pboos merged 2 commits intomainfrom
CHK-13321-fix-jackson-core-all-configs

Conversation

@pboos
Copy link
Copy Markdown
Contributor

@pboos pboos commented Apr 10, 2026

Summary

  • Adds a project-wide resolutionStrategy to force tools.jackson.core:jackson-core to 3.1.1 across ALL configurations in ALL subprojects
  • The previous fix (ext['jackson-bom.version']) only covered example projects using the spring-dependency-management plugin
  • The spring-boot-starter-web and spring-boot-starter-webflux modules use compileOnly with platform(SpringBootPlugin.BOM_COORDINATES), so jackson-core:3.1.0 remained on their compileClasspath
  • Since the dependency submission action includes compileClasspath, the Dependabot alert stayed open

Vulnerability Details

  • GHSA: GHSA-2m67-wjpj-xhg9
  • Severity: HIGH (CVSS 7.5)
  • Vulnerable Range: >= 3.0.0, <= 3.1.0
  • Patched Version: 3.1.1
  • Package: tools.jackson.core:jackson-core

Changes

  • Added configurations.configureEach with resolutionStrategy.eachDependency in root build.gradle subprojects block

Testing

  • ✅ Verified jackson-core resolves to 3.1.1 on compileClasspath for both spring-boot-starter-web and spring-boot-starter-webflux
  • ✅ All tests passing locally

References

🤖 Generated with Claude Code

pboos and others added 2 commits April 10, 2026 15:02
@pboos @claude
CHK-13321: force jackson-core 3.1.1 across all configurations
0ecfcb9 
The previous fix (ext['jackson-bom.version']) only covered example
projects using the spring-dependency-management plugin. The
spring-boot-starter-web and spring-boot-starter-webflux modules use
compileOnly for Spring Boot starters with platform(BOM_COORDINATES),
so jackson-core:3.1.0 remained on their compileClasspath. Since the
dependency submission action includes compileClasspath, the Dependabot
alert stayed open.

This adds a resolutionStrategy in the root build.gradle that forces
tools.jackson.core:jackson-core to 3.1.1 across ALL configurations
in ALL subprojects.

Closes CHK-13321

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@pboos @claude
CHK-13321: only override jackson-core when resolved version < 3.1.1
e20f324 
Avoids pinning to 3.1.1 if a newer version is requested through
other dependencies (e.g. future Spring Boot upgrade).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@pboos pboos marked this pull request as ready for review April 10, 2026 13:18
@pboos pboos requested a review from a team as a code owner April 10, 2026 13:18
@pboos pboos requested a review from ursulean April 10, 2026 13:18
@pboos pboos merged commit 5292b37 into main Apr 10, 2026
4 checks passed
@pboos pboos deleted the CHK-13321-fix-jackson-core-all-configs branch April 10, 2026 13:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@huguenin huguenin huguenin approved these changes

@ursulean ursulean Awaiting requested review from ursulean ursulean is a code owner automatically assigned from getyourguide/chk

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pboos @huguenin