Yicong-Huang opened a new pull request, #6160: URL: https://github.com/apache/texera/pull/6160
### What changes were proposed in this PR? Backport of #6152 to `release/v1.2`: bump Jackson 2.18.6 → 2.18.8 (`jacksonVersion` in the root `build.sbt`), update the jar entries in each service's `LICENSE-binary`, and regenerate the `NOTICE-binary` files for the updated `META-INF` NOTICE content shipped in the 2.18.8 jars. Motivation is security: seven jackson-databind CVEs disclosed on 2026-06-22 (CVE-2026-54512 … 54518) are all fixed in 2.18.8, including two PolymorphicTypeValidator allowlist bypasses that allow arbitrary class instantiation when polymorphic deserialization is enabled ([CVE-2026-54512](https://github.com/advisories/GHSA-j3rv-43j4-c7qm), [CVE-2026-54513](https://nvd.nist.gov/vuln/detail/CVE-2026-54513)). See #6152 for details. Differences from the mainline PR: the `notebook-migration-service/` changes are dropped — that module does not exist on `release/v1.2` (this is why the label-driven backport check on #6152 could not pass). ### Any related issues, documentation, discussions? Backport of #6152. ### How was this PR tested? Existing test cases via the label-gated CI stacks; dependency bump only, no code change. The binary licensing check verifies LICENSE-binary/NOTICE-binary against the built distributables. ### Was this PR authored or co-authored using generative AI tooling? The original dependency bump was authored by @pjfanning (no AI declaration). The cherry-pick, NOTICE-binary regeneration, and this description were prepared with generative AI tooling: Generated-by: Claude Code (Claude Fable 5). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
