CMR-11108: bumps jackson-core

[daniel-zamora]

Overview

What is the objective?

Updates jackson-core to resolve snyk report on Chesire. Currently updating to cheshire 6.2 doens't work due to some interactions with testcontainers so for this solution I'm just forcing a valid version of jackson-core, avoiding the transitive dependency.

What are the changes?

Updates project.clj in affected apps

Required Checklist

• New and existing unit and int tests pass locally and remotely
• clj-kondo has been run locally and all errors in changed files are corrected
• I have commented my code, particularly in hard-to-understand areas
• I have made changes to the documentation (if necessary)
• My changes generate no new warnings

Additional Checklist

• I have removed unnecessary/dead code and imports in files I have changed
• I have cleaned up integration tests by doing one or more of the following:
  • migrated any are2 tests to are3 in files I have changed
  • de-duped, consolidated, removed dead int tests
  • transformed applicable int tests into unit tests
  • reduced number of system state resets by updating fixtures. Ex) (use-fixtures :each (ingest/reset-fixture {})) to be :once instead of :each

Summary by CodeRabbit

• Chores
  • Standardized Jackson libraries to version 2.18.6 across projects to ensure consistent runtime behavior.
  • Added explicit dependency entries and managed-dependency pins so Jackson artifacts are resolved to the intended version.
  • Introduced exclusions on transitive pulls so the declared Jackson version is used uniformly across services, libraries, and tests.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6abdd057-ed93-47c0-9bc2-d0f426cdeb53

📥 Commits

Reviewing files that changed from the base of the PR and between a05f78f and 396e315.

📒 Files selected for processing (3)

• common-lib/project.clj
• message-queue-lib/project.clj
• project.clj

✅ Files skipped from review due to trivial changes (1)

• project.clj

🚧 Files skipped from review as they are similar to previous changes (2)

• message-queue-lib/project.clj
• common-lib/project.clj

---

📝 Walkthrough

Walkthrough

Updated Leiningen dependency declarations across multiple projects to exclude com.fasterxml.jackson.core/jackson-core from cheshire and to pin Jackson artifacts (primarily jackson-core) to version 2.18.6 via explicit dependencies or managed-dependencies. No source code entities changed.

Changes

Cohort / File(s)	Summary
Root managed dependencies project.clj	Added managed dependency entries pinning com.fasterxml.jackson.core/jackson-annotations, com.fasterxml.jackson.core/jackson-core, and com.fasterxml.jackson.core/jackson-databind to 2.18.6.
Apps with explicit jackson-core override access-control-app/project.clj, bootstrap-app/project.clj, common-app-lib/project.clj, metadata-db-app/project.clj, schema-validation-lib/project.clj, search-app/project.clj, search-relevancy-test/project.clj, system-int-test/project.clj	Added :exclusions [com.fasterxml.jackson.core/jackson-core] to cheshire "5.12.0" and added an explicit dependency on [com.fasterxml.jackson.core/jackson-core "2.18.6"] in each project.
Libraries with cheshire exclusion only elastic-utils-lib/project.clj, message-queue-lib/project.clj	Added :exclusions [com.fasterxml.jackson.core/jackson-core] to the cheshire dependency. Additionally, message-queue-lib bumped com.fasterxml.jackson.core/jackson-annotations to 2.18.6.
Library with expanded exclusions and bumps common-lib/project.clj	Expanded cheshire exclusions to include com.fasterxml.jackson.core/jackson-core and com.fasterxml.jackson.dataformat/jackson-dataformat-cbor; updated explicit dependencies to jackson-core "2.18.6" and jackson-dataformat-cbor "2.18.6".

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• CMR-10917: Fix service bridge build and tests #2323: Modifies Leiningen Jackson dependencies and cheshire exclusions in a similar manner.

Suggested labels

hacktoberfest-accepted

Suggested reviewers

• zimzoom
• jceaser
• eereiter

Poem

🐰 I hopped through deps both near and far,
nudged jackson-core to a shinier star.
I fenced off transitive vines that creep—
now builds are snug and tests can sleep. 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'CMR-11108: bumps jackson-core' directly and clearly relates to the main change—upgrading jackson-core versions across multiple project.clj files to resolve a Snyk vulnerability.
Description check	✅ Passed	The PR description includes the required Overview section (objective, changes, impacted areas) and all Required Checklist items are marked as completed; however, the 'What areas of the application does this impact?' subsection is missing specific application names.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch CMR-11108-2

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@common-lib/project.clj`:
- Around line 8-9: Update the jackson-dataformat-cbor exclusion so its version
matches jackson-core (2.18.6); specifically replace any occurrences of
com.fasterxml.jackson.dataformat/jackson-dataformat-cbor pinned to an older
version with version 2.18.6 to align with
com.fasterxml.jackson.core/jackson-core, and make the same change for the other
exclusion instance referenced (the one around lines 21–23) to ensure consistent
Jackson versions across the project.clj exclusions.

In `@message-queue-lib/project.clj`:
- Around line 14-15: The project.clj dependency list pins "jackson-annotations"
to 2.15.4 which conflicts with the root's managed version 2.18.6; update the
"jackson-annotations" entry in project.clj (the dependency vector named
jackson-annotations) to match 2.18.6 or remove the explicit version so it
inherits the root-managed version, ensuring consistency across Jackson modules.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d414e971-eead-43cf-88d8-10b8b75497b3

📥 Commits

Reviewing files that changed from the base of the PR and between ec12986 and aa05a25.

📒 Files selected for processing (12)

• access-control-app/project.clj
• bootstrap-app/project.clj
• common-app-lib/project.clj
• common-lib/project.clj
• elastic-utils-lib/project.clj
• message-queue-lib/project.clj
• metadata-db-app/project.clj
• project.clj
• schema-validation-lib/project.clj
• search-app/project.clj
• search-relevancy-test/project.clj
• system-int-test/project.clj

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 57.89%. Comparing base (ec12986) to head (396e315).

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2404      +/-   ##
==========================================
- Coverage   57.90%   57.89%   -0.01%     
==========================================
  Files        1067     1067              
  Lines       73454    73454              
  Branches     2126     2124       -2     
==========================================
- Hits        42531    42529       -2     
- Misses      28942    28943       +1     
- Partials     1981     1982       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.