Skip to content

chore: resolve open dependabot security alerts#309

Open
jonathannorris wants to merge 1 commit into
mainfrom
chore/dependabot-alerts-fresh
Open

chore: resolve open dependabot security alerts#309
jonathannorris wants to merge 1 commit into
mainfrom
chore/dependabot-alerts-fresh

Conversation

@jonathannorris

Copy link
Copy Markdown
Member

Summary

  • Resolved 6 open Dependabot security alerts by bumping jackson-databind and related modules from 2.21.1 to 2.21.4

Dependabot Alerts Resolved

Alert Package Severity Fix
#42 com.fasterxml.jackson.core:jackson-databind high Bumped to 2.21.4 via jackson_version
#43 com.fasterxml.jackson.core:jackson-databind high Bumped to 2.21.4 via jackson_version
#41 com.fasterxml.jackson.core:jackson-databind medium Bumped to 2.21.4 via jackson_version
#44 com.fasterxml.jackson.core:jackson-databind medium Bumped to 2.21.4 via jackson_version
#46 com.fasterxml.jackson.core:jackson-databind medium Bumped to 2.21.4 via jackson_version
#47 com.fasterxml.jackson.core:jackson-databind medium Bumped to 2.21.4 via jackson_version

Also added jackson-databind and jackson-core to the resolutionStrategy force blocks in the root build.gradle to ensure transitive references via Retrofit's converter also resolve to the patched version.

- com.fasterxml.jackson.core:jackson-databind 2.21.1 -> 2.21.4 (high/medium, alerts #42, #43, #44, #46, #47, #41)
- com.fasterxml.jackson.core:jackson-core 2.21.1 -> 2.21.4 (transitive, force via resolutionStrategy)
@jonathannorris jonathannorris requested a review from a team as a code owner July 2, 2026 13:44
Copilot AI review requested due to automatic review settings July 2, 2026 13:44

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR resolves open Dependabot security alerts by upgrading Jackson dependencies used by the Android client SDK and enforcing patched Jackson versions during Gradle dependency resolution to avoid vulnerable transitive versions.

Changes:

  • Bumped jackson_version from 2.21.1 to 2.21.4 for SDK dependencies.
  • Forced jackson-databind and jackson-core to 2.21.4 in root Gradle resolution strategies (buildscript classpath + all subprojects) to ensure patched transitive resolution.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
build.gradle Forces patched Jackson versions (jackson-databind, jackson-core) via resolutionStrategy to override vulnerable transitive resolutions.
android-client-sdk/build.gradle Updates jackson_version used by SDK Jackson dependencies to 2.21.4.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants