Update jackson dependencies due to CVE-2020-36518

[brunchboy]

We are having to update our own dependencies because of a vulnerability in jackson-databind and this project is one of our direct dependencies which led to it being included in the first place, so you may want to update your jackson versions as well.

https://nvd.nist.gov/vuln/detail/CVE-2020-36518

[joschi]

Dropwizard Metrics 4.2.x is already using Jackson 2.12.7 which is not affected by this vulnerability.

• https://github.com/dropwizard/metrics/blob/v4.2.10/metrics-json/pom.xml#L20
• https://github.com/dropwizard/metrics/blob/v4.2.10/metrics-servlets/pom.xml#L23
• https://github.com/dropwizard/metrics/blob/v4.2.10/metrics-jakarta-servlets/pom.xml#L23

We won't upgrade the Jackson version in Dropwizard Metrics 4.1.x, but you can override the version of Jackson being used in your project by adding the respective artifacts into the <dependencies> or <dependencyManagement> section of your POM or the equivalents of your build system.

[brunchboy]

Thanks, it wasn’t clear to me by trying to follow the pom.xml chain that this was already addressed. We are already explicitly pulling in a more recent version in our project.clj because other dependencies are still trying to use an older version, so there’s nothing left to be done until they get updated.