From 0ecfcb9acc72a24d97f24128d15d9682b3967b91 Mon Sep 17 00:00:00 2001
From: Patrick Boos <patrick.boos@getyourguide.com>
Date: Fri, 10 Apr 2026 15:02:32 +0200
Subject: [PATCH 1/2] CHK-13321: force jackson-core 3.1.1 across all
 configurations

The previous fix (ext['jackson-bom.version']) only covered example
projects using the spring-dependency-management plugin. The
spring-boot-starter-web and spring-boot-starter-webflux modules use
compileOnly for Spring Boot starters with platform(BOM_COORDINATES),
so jackson-core:3.1.0 remained on their compileClasspath. Since the
dependency submission action includes compileClasspath, the Dependabot
alert stayed open.

This adds a resolutionStrategy in the root build.gradle that forces
tools.jackson.core:jackson-core to 3.1.1 across ALL configurations
in ALL subprojects.

Closes CHK-13321

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 build.gradle | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/build.gradle b/build.gradle
index 365d62e..e4ead78 100644
--- a/build.gradle
+++ b/build.gradle
@@ -23,6 +23,15 @@ allprojects {
 }
 
 subprojects {
+    configurations.configureEach {
+        resolutionStrategy.eachDependency {
+            if (requested.group == 'tools.jackson.core' && requested.name == 'jackson-core') {
+                useVersion('3.1.1')
+                because('GHSA-2m67-wjpj-xhg9: Jackson Core 3.0.0-3.1.0 maxDocumentLength bypass')
+            }
+        }
+    }
+
     if(it.parent.name == 'examples') {
         apply plugin: 'java'
     } else {

From e20f32439f683934df199520f2d62762708fcb7f Mon Sep 17 00:00:00 2001
From: Patrick Boos <patrick.boos@getyourguide.com>
Date: Fri, 10 Apr 2026 15:16:16 +0200
Subject: [PATCH 2/2] CHK-13321: only override jackson-core when resolved
 version < 3.1.1

Avoids pinning to 3.1.1 if a newer version is requested through
other dependencies (e.g. future Spring Boot upgrade).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 build.gradle | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index e4ead78..a5fa826 100644
--- a/build.gradle
+++ b/build.gradle
@@ -25,7 +25,8 @@ allprojects {
 subprojects {
     configurations.configureEach {
         resolutionStrategy.eachDependency {
-            if (requested.group == 'tools.jackson.core' && requested.name == 'jackson-core') {
+            if (requested.group == 'tools.jackson.core' && requested.name == 'jackson-core'
+                    && requested.version != null && requested.version < '3.1.1') {
                 useVersion('3.1.1')
                 because('GHSA-2m67-wjpj-xhg9: Jackson Core 3.0.0-3.1.0 maxDocumentLength bypass')
             }