tballison commented on PR #1399: URL: https://github.com/apache/tika/pull/1399#issuecomment-1812616823
I looked over the git logs around the 2.9.1 release, and I should have included this dependency bump _before_ cutting 2.9.1-rc1. I suspect I was not eager to bump the dependencies right before a release without more in depth testing. That said, I reviewed this "vulnerability" just now. I concur with the jackson developers and others on [this issue](https://github.com/FasterXML/jackson-databind/issues/3972#issuecomment-1596308216) that this is not a problem despite what security scanners complain about. I personally don't think this merits a new release. I have no doubt that other, actual vulnerabilities will be found in our dependencies which would trigger a 2.9.2 soon enough. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tika.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org