(kafka) branch 4.2 updated: KAFKA-20241: Bump jackson to 2.21.1 (#21621)

Wed, 04 Mar 2026 06:28:17 -0800 

This is an automated email from the ASF dual-hosted git repository.

mimaison pushed a commit to branch 4.2
in repository https://gitbox.apache.org/repos/asf/kafka.git


The following commit(s) were added to refs/heads/4.2 by this push:
     new 5c5c78be42a KAFKA-20241: Bump jackson to 2.21.1 (#21621)
5c5c78be42a is described below

commit 5c5c78be42a9a88eac8be8bf458268500690c537
Author: averemee-si <[email protected]>
AuthorDate: Wed Mar 4 15:12:49 2026 +0100

    KAFKA-20241: Bump jackson to 2.21.1 (#21621)
    
    fix Jackson core vulnerability reported in
    
    1. https://github.com/advisories/GHSA-72hv-8253-57qq
    2. https://www.miggo.io/vulnerability-database/cve/GHSA-72hv-8253-57qq
    
    Issue report is at https://issues.apache.org/jira/browse/KAFKA-20241
    
    Reviewers: Chia-Ping Tsai <[email protected]>, Mickael Maison 
<[email protected]>
---
 LICENSE-binary             | 22 +++++++++++-----------
 gradle/dependencies.gradle |  4 ++--
 2 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/LICENSE-binary b/LICENSE-binary
index 0d46d2a0a5f..32f38c6fbcd 100644
--- a/LICENSE-binary
+++ b/LICENSE-binary
@@ -213,16 +213,16 @@ License Version 2.0:
 - commons-logging-1.3.5
 - commons-validator-1.10.1
 - hash4j-0.22.0
-- jackson-annotations-2.20
-- jackson-core-2.20.1
-- jackson-databind-2.20.1
-- jackson-dataformat-csv-2.20.1
-- jackson-dataformat-yaml-2.20.1
-- jackson-datatype-jdk8-2.20.1
-- jackson-jakarta-rs-base-2.20.1
-- jackson-jakarta-rs-json-provider-2.20.1
-- jackson-module-blackbird-2.20.1
-- jackson-module-jakarta-xmlbind-annotations-2.20.1
+- jackson-annotations-2.21
+- jackson-core-2.21.1
+- jackson-databind-2.21.1
+- jackson-dataformat-csv-2.21.1
+- jackson-dataformat-yaml-2.21.1
+- jackson-datatype-jdk8-2.21.1
+- jackson-jakarta-rs-base-2.21.1
+- jackson-jakarta-rs-json-provider-2.21.1
+- jackson-module-blackbird-2.21.1
+- jackson-module-jakarta-xmlbind-annotations-2.21.1
 - jakarta.inject-api-2.0.1
 - jakarta.validation-api-3.0.2
 - javassist-3.30.2-GA
@@ -252,7 +252,7 @@ License Version 2.0:
 - scala-logging_2.13-3.9.6
 - scala-reflect-2.13.17
 - snappy-java-1.1.10.7
-- snakeyaml-2.4
+- snakeyaml-2.5
 - swagger-annotations-2.2.39
 
 ===============================================================================
diff --git a/gradle/dependencies.gradle b/gradle/dependencies.gradle
index 02751795df8..ff9ee05ec87 100644
--- a/gradle/dependencies.gradle
+++ b/gradle/dependencies.gradle
@@ -63,8 +63,8 @@ versions += [
   gradle: "9.2.1",
   grgit: "5.3.3",
   httpclient: "4.5.14",
-  jackson: "2.20.1",
-  jacksonAnnotations: "2.20",
+  jackson: "2.21.1",
+  jacksonAnnotations: "2.21",
   jacoco: "0.8.14",
   javassist: "3.30.2-GA",
   // Jetty 12.0.30+ introduced SLF4J 2.x fluent API usage (e.g. 
Logger.atDebug()) in production

Reply via email to