Yicong-Huang opened a new pull request, #6160:
URL: https://github.com/apache/texera/pull/6160

   ### What changes were proposed in this PR?
   
   Backport of #6152 to `release/v1.2`: bump Jackson 2.18.6 → 2.18.8 
(`jacksonVersion` in the root `build.sbt`), update the jar entries in each 
service's `LICENSE-binary`, and regenerate the `NOTICE-binary` files for the 
updated `META-INF` NOTICE content shipped in the 2.18.8 jars.
   
   Motivation is security: seven jackson-databind CVEs disclosed on 2026-06-22 
(CVE-2026-54512 … 54518) are all fixed in 2.18.8, including two 
PolymorphicTypeValidator allowlist bypasses that allow arbitrary class 
instantiation when polymorphic deserialization is enabled 
([CVE-2026-54512](https://github.com/advisories/GHSA-j3rv-43j4-c7qm), 
[CVE-2026-54513](https://nvd.nist.gov/vuln/detail/CVE-2026-54513)). See #6152 
for details.
   
   Differences from the mainline PR: the `notebook-migration-service/` changes 
are dropped — that module does not exist on `release/v1.2` (this is why the 
label-driven backport check on #6152 could not pass).
   
   ### Any related issues, documentation, discussions?
   
   Backport of #6152.
   
   ### How was this PR tested?
   
   Existing test cases via the label-gated CI stacks; dependency bump only, no 
code change. The binary licensing check verifies LICENSE-binary/NOTICE-binary 
against the built distributables.
   
   ### Was this PR authored or co-authored using generative AI tooling?
   
   The original dependency bump was authored by @pjfanning (no AI declaration). 
The cherry-pick, NOTICE-binary regeneration, and this description were prepared 
with generative AI tooling: Generated-by: Claude Code (Claude Fable 5).


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to