Replies: 2 comments 1 reply
-
|
I'm afraid you will need to speak to the 3rd party lib maintainer or fork the lib and fix it yourself. |
Beta Was this translation helpful? Give feedback.
-
|
Note that classes were deprecated all the way back in 2.12; their usage can cause JVM crash; and we talk about version bump 2.19->2.20 (or later). There should have been plenty of time to upgrade references earlier. But as to 2.19: that branch is closed so no new releases will be made by Jackson team (we already have 3 LTS and 2 head branches to manage). What you could perhaps do is publish |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Right now our application uses a 3rd-party library, which internally relies on databind; our attempts to update beyond 2.19.3 have failed because this library is affected by #4136; for that reason we are stuck on 2.19.3, but for security reasons we would really like to adopt a more recent version. On the other hand we also cannot go back to 2.18.8.
We are trying to get this 3rd party dependency fixed asap, but that's going to take a bit of time. In the meanwhile I want to understand if there is a chance to receive an upstream version of databind 2.19.x, which does not have open security vulnerabilities.
Beta Was this translation helpful? Give feedback.
All reactions