CVE-2020-36518 - bump jackson from 2.11.2 to 2.13.3

[gtedesc0]

Bumps jackson from 2.11.2 to 2.13.3.

https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-core

Signed-off-by: Gustavo Tedesco gustavo.tedesco@unico.io

[rangeldaykes]

LGTM

[gtedesc0]

@pierDipi Do you have any predictions for the acceptance of this PR?

[pierDipi]

@gtedesc0 can you add the reason for this bump in the PR body? is the fix you're looking for available in a patch release of Jackson?
A minor version bump would require a major release of SDK since that might break binary compatibility.

[gtedesc0]

@gtedesc0 can you add the reason for this bump in the PR body? is the fix you're looking for available in a patch release of Jackson? A minor version bump would require a major release of SDK since that might break binary compatibility.

The reason for this bump, correct vulnerability bellow
1 vulnerability

[pierDipi]

Thanks!

[pierDipi]

LGTM

Thanks!

[gtedesc0]

@pierDipi Do you have a forecast to enter a version 2.3.1?

[pierDipi]

As I wrote here #464 (comment), we need a 3.0.0 unless there is a fix in patch version of Jackson for 2.11 that we can use

[pierDipi]

I will try to see if there are other major features or fixes to include in 3.0.0 and then I will cut a release

[pierDipi]

fwiw, in my projects, I override Jackson's version with my own version [1] and [2]

[1] https://github.com/knative-sandbox/eventing-kafka-broker/blob/e4782fbc237d7575a7bfbd05f6bc549e5dbcd09e/data-plane/pom.xml#L269-L279
[2] https://github.com/knative-sandbox/eventing-kafka-broker/blob/e4782fbc237d7575a7bfbd05f6bc549e5dbcd09e/data-plane/pom.xml#L212-L218

you would need to make sure that everything still works as expected with the new Jackson's version in your system but that's another option to get the fix earlier.

[gtedesc0]

@pierDipi thank you so much!