SWI-3723 [Snyk] Fix for 1 vulnerabilities

[bwappsec]

Snyk has created this PR to fix 1 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

• samples/server/petstore/jaxrs/jersey2/pom.xml

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score	Upgrade
	Allocation of Resources Without Limits or Throttling SNYK-JAVA-COMFASTERXMLJACKSONCORE-15365924	170	com.fasterxml.jackson.datatype:jackson-datatype-jsr310: 2.17.1 -> 2.18.6 com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider: 2.17.1 -> 2.18.6 No Path Found Proof of Concept

Breaking Change Risk

Notice: This assessment is enhanced by AI.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Allocation of Resources Without Limits or Throttling

[bwappsec]

This is a minor version upgrade for two Jackson modules from 2.17.1 to 2.18.6. While there are no explicit breaking API changes, this upgrade includes a significant internal rewrite of the POJO property introspection logic in the core jackson-databind dependency, which could introduce subtle behavioral changes.

Key Changes:

• Internal Introspection Rewrite: Jackson 2.18 features a major rewrite of its property introspection logic to resolve long-standing bugs related to creators and property handling. While intended to be an improvement, this was a large internal change, and several patch releases (2.18.1-2.18.6) have included fixes for regressions related to deserialization, @JsonCreator, and @JsonMerge.
• JAX-RS Provider: Support for JAX-RS 1.x, which was previously removed, has been restored in jackson-jaxrs-json-provider. This is an additive change and should not impact existing JAX-RS 2.x implementations.
• Java 8 Date/Time (jsr310): Includes a bug fix for ZonedDateTime serialization when using @JsonFormat.pattern with WRITE_DATES_WITH_ZONE_ID enabled.

Risk Assessment:

The risk is assessed as medium because the internal rewrite, while fixing bugs, may alter behavior in complex object serialization or deserialization scenarios. No direct code changes are required, but thorough testing is recommended to validate that existing JSON contracts behave as expected.

Recommendation:
Verify that object mapping, particularly for complex objects, records, and classes using @JsonCreator, continues to function correctly after the upgrade.

Source: Jackson 2.18 Release Notes

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[bwappsec]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.