Skip to content

[bot] Fast-forward for 26.3.16#1436

Merged
github-actions[bot] merged 2 commits into
release26.3from
26.3_ff_bot_26.3.16
Jul 7, 2026
Merged

[bot] Fast-forward for 26.3.16#1436
github-actions[bot] merged 2 commits into
release26.3from
26.3_ff_bot_26.3.16

Conversation

@github-actions

@github-actions github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Generated automatically.
Approve all matching PRs simultaneously.
Approval will trigger automatic merge.
View all PRs: https://internal.labkey.com/Scrumtime/Backlog/harvest-gitOpenPullRequests.view?branch=26.3_ff_bot_26.3.16

labkey-martyp and others added 2 commits July 1, 2026 11:49
## Rationale

The 26.3 OWASP Dependency Check build flagged 18 findings: seven CVEs
(CVE-2026-54512 through CVE-2026-54518) against each of Jackson 2.x
(com.fasterxml.jackson.core:jackson-databind 2.21.0) and Jackson 3.x
(tools.jackson.core:jackson-databind 3.1.0), plus CVE-2026-53914 against
the transitive Kotlin jars.

## Related Pull Requests

None.

## Changes

- Bump Jackson 2.x (jacksonVersion, jacksonDatabindVersion,
jacksonJaxrsBaseVersion) to 2.21.4 and jackson3Version to 3.1.4.
- Suppress CVE-2026-53914 for the transitive Kotlin jars (not
applicable: LabKey compiles no Kotlin; the jars are transitive OkHttp
runtime deps).
@github-actions github-actions Bot merged commit d535db9 into release26.3 Jul 7, 2026
6 checks passed
@github-actions github-actions Bot deleted the 26.3_ff_bot_26.3.16 branch July 7, 2026 18:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants