Skip to content

[Snyk] Fix for 1 vulnerabilities#29742

Open
harshach wants to merge 1 commit into
mainfrom
snyk-fix-57e2190f4519e927bfe0eab17140b798
Open

[Snyk] Fix for 1 vulnerabilities#29742
harshach wants to merge 1 commit into
mainfrom
snyk-fix-57e2190f4519e927bfe0eab17140b798

Conversation

@harshach

@harshach harshach commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator

snyk-top-banner

Snyk has created this PR to fix 1 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

  • pom.xml

Vulnerabilities that will be fixed with an upgrade:

Issue Upgrade
medium severity Improperly Controlled Modification of Dynamically-Determined Object Attributes
SNYK-JAVA-COMFASTERXMLJACKSONCORE-17457695
com.networknt:json-schema-validator:
2.0.1 -> 3.0.0
Major version upgrade Proof of Concept

Breaking Change Risk

Merge Risk: High

Notice: This assessment is enhanced by AI.

Vulnerabilities that could not be fixed

  • Upgrade:
    • Could not upgrade org.open-metadata:common@2.0.0-SNAPSHOT to org.open-metadata:common@DEMO_BETA1; Reason could not apply upgrade, dependency is managed externally ; Location: provenance does not contain location

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Improperly Controlled Modification of Dynamically-Determined Object Attributes

Greptile Summary

This PR updates the Maven-managed JSON schema validator dependency.

  • Bumps com.networknt:json-schema-validator from 2.0.1 to 3.0.0.
  • Keeps the change scoped to the root pom.xml dependency version.

Confidence Score: 4/5

The schema validation dependency path can break after this major upgrade.

  • The project still builds validation inputs with Jackson 2 JsonNode values.
  • The upgraded validator uses Jackson 3 types, so reachable validation calls can fail at build time, link time, or runtime.
  • The change needs either a compatible validator version or a coordinated Jackson 3 migration for the validation paths.

pom.xml and the Java schema validation call sites

Important Files Changed

Filename Overview
pom.xml Bumps json-schema-validator to a new major version that changes the Jackson type boundary used by validation code.

Reviews (1): Last reviewed commit: "fix: pom.xml to reduce vulnerabilities" | Re-trigger Greptile

Greptile also left 1 inline comment on this PR.

Context used (3)

  • Context used - CLAUDE.md (source)
  • Context used - openmetadata-ui-core-components/CLAUDE.md (source)
  • Context used - AGENTS.md (source)

@harshach

harshach commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator Author

Merge Risk: High

This upgrade contains two high-risk major version changes. The json-schema-validator upgrade requires a Java runtime update and includes a major dependency upgrade with known breaking changes. The open-metadata:common upgrade is between two unstable, non-production versions with no available documentation, indicating a high degree of uncertainty and risk.

com.networknt:json-schema-validator@2.0.1 → 3.0.0

Risk: HIGH

This is a major version upgrade with significant breaking changes.

  • Java 17 Required: Version 3.0.0 and later require Java 17, which may necessitate a runtime environment upgrade.
  • Jackson 3 Upgrade: The library's core dependency has been upgraded from Jackson 2 to Jackson 3. This is a major update with its own set of breaking changes. The library maintainers note that this will likely break custom validator or walker implementations.
  • Known Issues: Version 3.0.0 contains a known bug related to the Jackson 3 upgrade that can cause crashes when validating schemas with array types, which was fixed in version 3.0.1.

Recommendation: This upgrade requires careful testing, especially if you have implemented custom validation logic. Ensure your environment is running on Java 17. Given the known issues in v3.0.0, consider targeting a later patch release if possible.

org.open-metadata:common@2.0.0-SNAPSHOT → DEMO_BETA1

Risk: HIGH

This upgrade is between two non-standard, pre-release versions (SNAPSHOT to a custom BETA tag). No specific release notes or changelogs are available for this transition.

  • High Uncertainty: The nature of these versions implies they are from a development branch and are not stable. The changes between them are undocumented, and there is a high probability of significant, unannounced breaking API changes.

Recommendation: Avoid this upgrade in a production environment. A manual review and thorough testing are required to determine the impact of the changes.

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

Copilot AI review requested due to automatic review settings July 3, 2026 21:51

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

❌ PR checklist incomplete

This PR cannot be merged until the following are addressed on its linked issue:

  • No GitHub issue is linked. Link an issue in the Development section of the PR (or add Fixes #12345 to the description). For a same-org cross-repo issue, add Fixes open-metadata/<repo>#123 to the description.

The fields live on the linked issue in the Shipping project (open the issue → right sidebar → Projects). After you set them, re-run this check (or push a commit) — issue/project changes do not re-trigger it automatically.

Maintainers can bypass this check by adding the skip-pr-checks label.

@github-actions github-actions Bot added backend safe to test Add this label to run secure Github workflows on PRs labels Jul 3, 2026
Comment thread pom.xml
<dropwizard-micrometer.version>3.0.0</dropwizard-micrometer.version>
<micrometer.version>1.15.12</micrometer.version>
<json-schema-validator.version>2.0.1</json-schema-validator.version>
<json-schema-validator.version>3.0.0</json-schema-validator.version>

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Jackson Type Boundary Mismatch

When this dependency moves to json-schema-validator 3.0.0, validation APIs use Jackson 3 tools.jackson types while the service still creates Jackson 2 com.fasterxml.jackson JsonNode values. The reachable validation paths in task payload validation, entity extension validation, and CSV validation can then fail to compile/link or reject the wrong node type at runtime, breaking schema validation for user-supplied metadata.

@gitar-bot

gitar-bot Bot commented Jul 3, 2026

Copy link
Copy Markdown
Code Review ✅ Approved

Upgrades com.networknt:json-schema-validator to version 3.0.0 in pom.xml to remediate a medium-severity vulnerability. No issues found.

Options

Display: compact → Showing less information.

Comment with these commands to change the behavior for this request:

Compact
gitar display:verbose         

Was this helpful? React with 👍 / 👎 | Gitar

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backend safe to test Add this label to run secure Github workflows on PRs

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants