[
https://issues.apache.org/jira/browse/BEAM-7881?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ismaël Mejía updated BEAM-7881:
-------------------------------
Fix Version/s: 3.0.0
> Get rid of jackson to avoid the continuous flow of CVEs in Jackson
> ------------------------------------------------------------------
>
> Key: BEAM-7881
> URL: https://issues.apache.org/jira/browse/BEAM-7881
> Project: Beam
> Issue Type: Task
> Components: sdk-java-core
> Affects Versions: 2.14.0
> Reporter: Romain Manni-Bucau
> Priority: Minor
> Fix For: 3.0.0
>
>
> Jackson keeps having CVE on all releases of databind and transitively beam
> sdk java core has CVE on all its releases (for the record, when writing this
> issue you must use at least jackson-databind 2.9.9.2 but last week it was
> 2.9.9.1 and 2.14 didn't get the fix).
> Can be neat to get rid of jackson which does not fix this issue for a very
> long time now and just use JSON-B or another JSON impl to ensure the CVE is
> not usable because beam is there.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
