Upgrade jackson-core to latest. Is this repo still maintained ?

[guillaume-verdon-sword]

Hello,

Our vulnerability scanner keeps raising alerts because we're using open-api-generator which relies on jackson-databind-nullable.

It seems the latest version here was released in Febuary 2023 and is dependent on com.fasterxml.jackson.core:jackson-core@2.14.0-rc2 which introduce a CWE-400 (see FasterXML/jackson-core#861)

I can see a PR that could fix this issue is opened here #52 but no follow-up was done since August 2024. Any chance to get it merged ? Is this repo still maintained ?

Regards :)

Guillaume

[plumstone]

One idea for the long term could be to mark the dependency jackson-databind as provided (inside the pom of this repo).

<dependency>
    <groupId>com.fasterxml.jackson.core</groupId>
    <artifactId>jackson-databind</artifactId>
    <scope>provided</scope>
</dependency>

This would require all consumers of this dependency to also declare jackson-databind in their dependency section (which is probably already done by most consumers) but on the other hand provide way more flexibility which jackson version to use.
Also this dependency then does not need continuous maintenance, unless jackson-databind introduces a breaking change.

Could anyone share some opinions regarding my idea? :)

[wing328]

Sorry for late reply. We're looking for maintainers: #71

Let me know if you're interesting in maintaining this project. Thank you.