CMR-11108: bumps jackson-core

[daniel-zamora]

Overview

What is the objective?

Updates jackson-core to resolve snyk report on Chesire. Currently updating to cheshire 6.2 doens't work due to some interactions with testcontainers so for this solution I'm just forcing a valid version of jackson-core, avoiding the transitive dependency.

What are the changes?

Updates project.clj in affected apps

Required Checklist

• New and existing unit and int tests pass locally and remotely
• clj-kondo has been run locally and all errors in changed files are corrected
• I have commented my code, particularly in hard-to-understand areas
• I have made changes to the documentation (if necessary)
• My changes generate no new warnings

Additional Checklist

• I have removed unnecessary/dead code and imports in files I have changed
• I have cleaned up integration tests by doing one or more of the following:
  • migrated any are2 tests to are3 in files I have changed
  • de-duped, consolidated, removed dead int tests
  • transformed applicable int tests into unit tests
  • reduced number of system state resets by updating fixtures. Ex) (use-fixtures :each (ingest/reset-fixture {})) to be :once instead of :each

Summary by CodeRabbit

• Chores
  • Updated Jackson Core library to version 2.18.6 across all application modules and shared libraries. This system-wide dependency update ensures consistent version resolution throughout the entire ecosystem, improving overall system stability and compatibility. All components now use the same Jackson Core version to maintain unified functionality and reduce compatibility issues.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates Jackson Core dependency resolution across the monorepo by adding a managed dependency entry for jackson-core version 2.18.6 and systematically excluding jackson-core from transitive cheshire dependencies while explicitly pinning jackson-core to 2.18.6 in multiple sub-projects, upgrading from a previous version (2.15.4).

Changes

Cohort / File(s)	Summary
Managed Dependencies project.clj	Added jackson-core version 2.18.6 to top-level managed dependencies for version coordination across sub-projects.
Jackson Exclusion + Explicit Version access-control-app/project.clj, common-lib/project.clj	Added jackson-core exclusion to cheshire dependency and upgraded explicit jackson-core from 2.15.4 to 2.18.6.
Jackson Exclusion + New Explicit Dependency bootstrap-app/project.clj, common-app-lib/project.clj, metadata-db-app/project.clj, schema-validation-lib/project.clj, search-app/project.clj, search-relevancy-test/project.clj, system-int-test/project.clj	Added jackson-core exclusion to cheshire and introduced explicit jackson-core version 2.18.6 dependency.
Jackson Exclusion Only elastic-utils-lib/project.clj, message-queue-lib/project.clj	Added jackson-core exclusion to cheshire transitive dependencies; no explicit version pin added.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• CMR-10917: Fix service bridge build and tests #2323: Modifies Leiningen dependency declarations for Jackson artifacts across multiple project files, aligning Jackson versions.
• CMR-11032: update lz4 libraries #2359: Updates cheshire dependency handling and Jackson core resolution in common-lib/project.clj, addressing overlapping dependency coordination.

Suggested labels

hacktoberfest-accepted

Suggested reviewers

• jceaser
• zimzoom
• eereiter

Poem

🐰 A hop through Jackson's halls so bright,
Version two-point-eighteen now takes flight,
Exclusions set and deps aligned with care,
Transitive tangles dissolved in air! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'CMR-11108: bumps jackson-core' directly and clearly describes the main change—upgrading jackson-core version across multiple project files to resolve a security issue.
Description check	✅ Passed	The description covers all required sections: objective (updating jackson-core for Snyk security fix), changes (updates to project.clj files), and impacted areas. All required and additional checklist items are marked as completed.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch CMR-11108-2

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

common-lib/project.clj (1)

8-9: Align Jackson module minors (jackson-core vs jackson-dataformat-cbor).

Lines 21-22 show misaligned Jackson versions: jackson-core at 2.18.6 but jackson-dataformat-cbor at 2.13.2. For consistency and reduced linkage risk, align jackson-dataformat-cbor to 2.18.6:

Proposed alignment

-                 [com.fasterxml.jackson.dataformat/jackson-dataformat-cbor "2.13.2"
+                 [com.fasterxml.jackson.dataformat/jackson-dataformat-cbor "2.18.6"
                   :exclusions [com.fasterxml.jackson.core/jackson-databind]]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@common-lib/project.clj` around lines 8 - 9, The Jackson modules are using
mismatched minor versions: update the dependency entry for
jackson-dataformat-cbor to match jackson-core's version (2.18.6) so both modules
use the same minor/patch line; locate the dependency declaration that references
com.fasterxml.jackson.dataformat/jackson-dataformat-cbor (and any exclusions
referencing com.fasterxml.jackson.core/jackson-core) in project.clj and change
the version token for jackson-dataformat-cbor to 2.18.6 to align with
jackson-core.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@project.clj`:
- Line 24: Update the project's Jackson artifacts to a single coordinated
version by moving or overriding all jackson dependencies (jackson-core,
jackson-annotations, jackson-databind, jackson-dataformat-cbor, etc.) into the
root-level managed-dependencies in project.clj and setting them to the same
version; ensure any existing per-module pins (e.g., references to jackson-core
"2.18.6", jackson-annotations "2.15.4", jackson-dataformat-cbor
"2.13.2"/"2.20.0", jackson-databind "2.20.0") are removed or replaced so they
inherit the managed-dependencies entry, and run a build to verify no dependency
version skew remains.

---

Nitpick comments:
In `@common-lib/project.clj`:
- Around line 8-9: The Jackson modules are using mismatched minor versions:
update the dependency entry for jackson-dataformat-cbor to match jackson-core's
version (2.18.6) so both modules use the same minor/patch line; locate the
dependency declaration that references
com.fasterxml.jackson.dataformat/jackson-dataformat-cbor (and any exclusions
referencing com.fasterxml.jackson.core/jackson-core) in project.clj and change
the version token for jackson-dataformat-cbor to 2.18.6 to align with
jackson-core.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6e5c119b-bd4a-45a2-9890-61c3b32952c5

📥 Commits

Reviewing files that changed from the base of the PR and between ec12986 and 58a6b93.

📒 Files selected for processing (12)

• access-control-app/project.clj
• bootstrap-app/project.clj
• common-app-lib/project.clj
• common-lib/project.clj
• elastic-utils-lib/project.clj
• message-queue-lib/project.clj
• metadata-db-app/project.clj
• project.clj
• schema-validation-lib/project.clj
• search-app/project.clj
• search-relevancy-test/project.clj
• system-int-test/project.clj

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

fd -p 'project.clj' | sort | while read -r f; do
  rg -n 'com\.fasterxml\.jackson\.(core|dataformat|datatype)/jackson-[^ ]+\s+"[^"]+"' "$f" || true
done | sort -u

Repository: nasa/Common-Metadata-Repository

Length of output: 984

---

Align the Jackson family versions across all project.clj files to avoid linkage issues.

Line 24 pins jackson-core to 2.18.6, but other modules use mismatched versions (jackson-annotations "2.15.4", jackson-dataformat-cbor "2.13.2" and "2.20.0", jackson-databind "2.20.0"). This version skew can cause linkage issues and prevent complete vulnerability remediation.

Establish a single coordinated version for all Jackson artifacts at the root-level managed-dependencies:

Proposed alignment

   :managed-dependencies [[at.yawk.lz4/lz4-java "1.10.1"]
                          [cheshire "5.12.0"] ;; latest is 6.1.0
                          [clj-http "3.11.0"] ;; latest is 3.13.1
                          [clj-time "0.15.1"] ;; latest is 0.15.2
+                         [com.fasterxml.jackson.core/jackson-annotations "2.18.6"]
                          [com.fasterxml.jackson.core/jackson-core "2.18.6"]
+                         [com.fasterxml.jackson.core/jackson-databind "2.18.6"]
                          [org.clojure/clojure "1.11.2"] ;; lattest is 1.11.4 or 1.12.2

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@project.clj` at line 24, Update the project's Jackson artifacts to a single
coordinated version by moving or overriding all jackson dependencies
(jackson-core, jackson-annotations, jackson-databind, jackson-dataformat-cbor,
etc.) into the root-level managed-dependencies in project.clj and setting them
to the same version; ensure any existing per-module pins (e.g., references to
jackson-core "2.18.6", jackson-annotations "2.15.4", jackson-dataformat-cbor
"2.13.2"/"2.20.0", jackson-databind "2.20.0") are removed or replaced so they
inherit the managed-dependencies entry, and run a build to verify no dependency
version skew remains.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 57.89%. Comparing base (ec12986) to head (58a6b93).

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2403      +/-   ##
==========================================
- Coverage   57.90%   57.89%   -0.01%     
==========================================
  Files        1067     1067              
  Lines       73454    73454              
  Branches     2126     2125       -1     
==========================================
- Hits        42531    42528       -3     
- Misses      28942    28943       +1     
- Partials     1981     1983       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.