Skip to content

CMR-11108: bumps jackson-core #2403

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
daniel-zamora wants to merge 1 commit into from
Closed

CMR-11108: bumps jackson-core #2403

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions access-control-app/project.clj
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,9 +28,10 @@
(defproject nasa-cmr/cmr-access-control-app "0.1.0-SNAPSHOT"
:description "Implements the CMR access control application."
:url "https://github.com/nasa/Common-Metadata-Repository/tree/master/access-control-app"
:dependencies ~(concat '[[cheshire "5.12.0"]
:dependencies ~(concat '[[cheshire "5.12.0"
:exclusions [com.fasterxml.jackson.core/jackson-core]]
[clj-time "0.15.1"]
[com.fasterxml.jackson.core/jackson-core "2.15.4"]
[com.fasterxml.jackson.core/jackson-core "2.18.6"]
[commons-codec/commons-codec "1.11"]
[commons-io "2.18.0"]
[compojure "1.6.1"
Expand Down
4 changes: 3 additions & 1 deletion bootstrap-app/project.clj
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,10 @@
(defproject nasa-cmr/cmr-bootstrap-app "0.1.0-SNAPSHOT"
:description "Bootstrap is a CMR application that can bootstrap the CMR with data from Catalog REST."
:url "https://github.com/nasa/Common-Metadata-Repository/tree/master/bootstrap-app"
:dependencies [[cheshire "5.12.0"]
:dependencies [[cheshire "5.12.0"
:exclusions [com.fasterxml.jackson.core/jackson-core]]
[clj-http "2.3.0"]
[com.fasterxml.jackson.core/jackson-core "2.18.6"]
[clj-time "0.15.1"]
[commons-codec/commons-codec "1.11"]
[commons-io "2.18.0"]
Expand Down
4 changes: 3 additions & 1 deletion common-app-lib/project.clj
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,9 @@
(defproject nasa-cmr/cmr-common-app-lib "0.1.0-SNAPSHOT"
:description "Library containing application services code common to multiple CMR applications."
:url "https://github.com/nasa/Common-Metadata-Repository/tree/master/common-app-lib"
:dependencies [[cheshire "5.12.0"]
:dependencies [[cheshire "5.12.0"
:exclusions [com.fasterxml.jackson.core/jackson-core]]
[com.fasterxml.jackson.core/jackson-core "2.18.6"]
[clj-time "0.15.1"]
[compojure "1.6.1"
:exclusions [commons-fileupload]]
Expand Down
5 changes: 3 additions & 2 deletions common-lib/project.clj
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,8 @@
:inherit [:managed-dependencies]}
:dependencies [[camel-snake-kebab "0.4.0"]
[cheshire
:exclusions [com.fasterxml.jackson.dataformat/jackson-dataformat-cbor]]
:exclusions [com.fasterxml.jackson.core/jackson-core
com.fasterxml.jackson.dataformat/jackson-dataformat-cbor]]
[clj-time]
[clojail "1.0.6"]

Expand All @@ -17,7 +18,7 @@

[clojusc/ltest "0.3.0"]
[com.dadrox/quiet-slf4j "0.1"]
[com.fasterxml.jackson.core/jackson-core "2.15.4"]
[com.fasterxml.jackson.core/jackson-core "2.18.6"]
[com.fasterxml.jackson.dataformat/jackson-dataformat-cbor "2.13.2"
:exclusions [com.fasterxml.jackson.core/jackson-databind]]
[com.gfredericks/test.chuck "0.2.9"]
Expand Down
3 changes: 2 additions & 1 deletion elastic-utils-lib/project.clj
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,8 @@
:url "https://github.com/nasa/Common-Metadata-Repository/tree/master/elastic-utils-lib"
:parent-project {:path "../project.clj"
:inherit [:managed-dependencies]}
:dependencies [[cheshire]
:dependencies [[cheshire
:exclusions [com.fasterxml.jackson.core/jackson-core]]
[clj-http]
[clojurewerkz/elastisch "5.0.0-beta1"]
[commons-codec/commons-codec "1.11"]
Expand Down
3 changes: 2 additions & 1 deletion message-queue-lib/project.clj
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,8 @@
:url "https://github.com/nasa/Common-Metadata-Repository/tree/master/message-queue-lib"
:parent-project {:path "../project.clj"
:inherit [:managed-dependencies]}
:dependencies [[cheshire]
:dependencies [[cheshire
:exclusions [com.fasterxml.jackson.core/jackson-core]]
[clj-http "2.3.0"] ;;behind other cmr projects
[clj-time]
[io.netty/netty-handler "4.1.125.Final"]
Expand Down
4 changes: 3 additions & 1 deletion metadata-db-app/project.clj
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@
:description "The metadata db is a micro-service that provides
support for persisting metadata concepts."
:url "https://github.com/nasa/Common-Metadata-Repository/tree/master/metadata-db-app"
:dependencies [[cheshire "5.12.0"]
:dependencies [[cheshire "5.12.0"
:exclusions [com.fasterxml.jackson.core/jackson-core]]
[com.fasterxml.jackson.core/jackson-core "2.18.6"]
[clj-http "3.11.0"]
[clj-time "0.15.1"]
[commons-io "2.18.0"] ;; used by migration
Expand Down
1 change: 1 addition & 0 deletions project.clj
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
[cheshire "5.12.0"] ;; latest is 6.1.0
[clj-http "3.11.0"] ;; latest is 3.13.1
[clj-time "0.15.1"] ;; latest is 0.15.2
[com.fasterxml.jackson.core/jackson-core "2.18.6"]
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

fd -p 'project.clj' | sort | while read -r f; do
  rg -n 'com\.fasterxml\.jackson\.(core|dataformat|datatype)/jackson-[^ ]+\s+"[^"]+"' "$f" || true
done | sort -u

Repository: nasa/Common-Metadata-Repository

Length of output: 984

Align the Jackson family versions across all project.clj files to avoid linkage issues.

Line 24 pins jackson-core to 2.18.6, but other modules use mismatched versions (jackson-annotations "2.15.4", jackson-dataformat-cbor "2.13.2" and "2.20.0", jackson-databind "2.20.0"). This version skew can cause linkage issues and prevent complete vulnerability remediation.

Establish a single coordinated version for all Jackson artifacts at the root-level managed-dependencies:

Proposed alignment 
   :managed-dependencies [[at.yawk.lz4/lz4-java "1.10.1"]
                          [cheshire "5.12.0"] ;; latest is 6.1.0
                          [clj-http "3.11.0"] ;; latest is 3.13.1
                          [clj-time "0.15.1"] ;; latest is 0.15.2
+                         [com.fasterxml.jackson.core/jackson-annotations "2.18.6"]
                          [com.fasterxml.jackson.core/jackson-core "2.18.6"]
+                         [com.fasterxml.jackson.core/jackson-databind "2.18.6"]
                          [org.clojure/clojure "1.11.2"] ;; lattest is 1.11.4 or 1.12.2
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@project.clj` at line 24, Update the project's Jackson artifacts to a single
coordinated version by moving or overriding all jackson dependencies
(jackson-core, jackson-annotations, jackson-databind, jackson-dataformat-cbor,
etc.) into the root-level managed-dependencies in project.clj and setting them
to the same version; ensure any existing per-module pins (e.g., references to
jackson-core "2.18.6", jackson-annotations "2.15.4", jackson-dataformat-cbor
"2.13.2"/"2.20.0", jackson-databind "2.20.0") are removed or replaced so they
inherit the managed-dependencies entry, and run a build to verify no dependency
version skew remains.

[org.clojure/clojure "1.11.2"] ;; lattest is 1.11.4 or 1.12.2
[org.apache.commons/commons-compress "1.28.0"] ;; see testcontainers
[org.testcontainers/testcontainers "2.0.2" ;; latest
Expand Down
4 changes: 3 additions & 1 deletion schema-validation-lib/project.clj
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,9 @@
:url "https://github.com/nasa/Common-Metadata-Repository/tree/master/schema-validation-lib"
:plugins [[lein-exec "0.3.7"]
[lein-shell "0.5.0"]]
:dependencies [[cheshire "5.12.0"]
:dependencies [[cheshire "5.12.0"
:exclusions [com.fasterxml.jackson.core/jackson-core]]
[com.fasterxml.jackson.core/jackson-core "2.18.6"]
[com.github.everit-org.json-schema/org.everit.json.schema "1.14.3"]
[org.clojure/clojure "1.11.2"]]
:repositories [["jitpack.io" "https://jitpack.io"]]
Expand Down
4 changes: 3 additions & 1 deletion search-app/project.clj
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,9 @@
(defproject nasa-cmr/cmr-search-app "0.1.0-SNAPSHOT"
:description "Provides a public search API for concepts in the CMR."
:url "https://github.com/nasa/Common-Metadata-Repository/tree/master/search-app"
:dependencies [[cheshire "5.12.0"]
:dependencies [[cheshire "5.12.0"
:exclusions [com.fasterxml.jackson.core/jackson-core]]
[com.fasterxml.jackson.core/jackson-core "2.18.6"]
[clj-time "0.15.1"]
[commons-codec/commons-codec "1.11"]
[commons-io/commons-io "2.18.0"]
Expand Down
4 changes: 3 additions & 1 deletion search-relevancy-test/project.clj
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,9 @@
:license {:name "Eclipse Public License"
:url "http://www.eclipse.org/legal/epl-v10.html"}
:dependencies [[camel-snake-kebab "0.4.0"]
[cheshire "5.12.0"]
[cheshire "5.12.0"
:exclusions [com.fasterxml.jackson.core/jackson-core]]
[com.fasterxml.jackson.core/jackson-core "2.18.6"]
[clj-http "2.3.0"]
[clj-time "0.15.1"]
[commons-codec/commons-codec "1.11"]
Expand Down
4 changes: 3 additions & 1 deletion system-int-test/project.clj
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,9 @@
:url "https://github.com/nasa/Common-Metadata-Repository/tree/master/system-int-test"
:license {:name "Eclipse Public License"
:url "http://www.eclipse.org/legal/epl-v10.html"}
:dependencies [[cheshire "5.12.0"]
:dependencies [[cheshire "5.12.0"
:exclusions [com.fasterxml.jackson.core/jackson-core]]
[com.fasterxml.jackson.core/jackson-core "2.18.6"]
[clj-http "2.3.0"]
[clj-time "0.15.1"]
[clj-xml-validation "1.0.2"]
Expand Down
Loading