[Snyk] Fix for 1 vulnerabilities#29742
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-17457695
|
This upgrade contains two high-risk major version changes. The com.networknt:json-schema-validator@2.0.1 → 3.0.0Risk: HIGH This is a major version upgrade with significant breaking changes.
Recommendation: This upgrade requires careful testing, especially if you have implemented custom validation logic. Ensure your environment is running on Java 17. Given the known issues in v3.0.0, consider targeting a later patch release if possible. org.open-metadata:common@2.0.0-SNAPSHOT → DEMO_BETA1Risk: HIGH This upgrade is between two non-standard, pre-release versions (
Recommendation: Avoid this upgrade in a production environment. A manual review and thorough testing are required to determine the impact of the changes.
|
❌ PR checklist incompleteThis PR cannot be merged until the following are addressed on its linked issue:
The fields live on the linked issue in the Shipping project (open the issue → right sidebar → Projects). After you set them, re-run this check (or push a commit) — issue/project changes do not re-trigger it automatically. Maintainers can bypass this check by adding the |
| <dropwizard-micrometer.version>3.0.0</dropwizard-micrometer.version> | ||
| <micrometer.version>1.15.12</micrometer.version> | ||
| <json-schema-validator.version>2.0.1</json-schema-validator.version> | ||
| <json-schema-validator.version>3.0.0</json-schema-validator.version> |
There was a problem hiding this comment.
Jackson Type Boundary Mismatch
When this dependency moves to json-schema-validator 3.0.0, validation APIs use Jackson 3 tools.jackson types while the service still creates Jackson 2 com.fasterxml.jackson JsonNode values. The reachable validation paths in task payload validation, entity extension validation, and CSV validation can then fail to compile/link or reject the wrong node type at runtime, breaking schema validation for user-supplied metadata.
Code Review ✅ ApprovedUpgrades com.networknt:json-schema-validator to version 3.0.0 in pom.xml to remediate a medium-severity vulnerability. No issues found. OptionsDisplay: compact → Showing less information. Comment with these commands to change the behavior for this request:
Was this helpful? React with 👍 / 👎 | Gitar |
Snyk has created this PR to fix 1 vulnerabilities in the maven dependencies of this project.
Snyk changed the following file(s):
pom.xmlVulnerabilities that will be fixed with an upgrade:
SNYK-JAVA-COMFASTERXMLJACKSONCORE-17457695
2.0.1->3.0.0Major version upgradeProof of ConceptBreaking Change Risk
Vulnerabilities that could not be fixed
org.open-metadata:common@2.0.0-SNAPSHOTtoorg.open-metadata:common@DEMO_BETA1; Reasoncould not apply upgrade, dependency is managed externally; Location:provenance does not contain locationImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Improperly Controlled Modification of Dynamically-Determined Object Attributes
Greptile Summary
This PR updates the Maven-managed JSON schema validator dependency.
com.networknt:json-schema-validatorfrom2.0.1to3.0.0.pom.xmldependency version.Confidence Score: 4/5
The schema validation dependency path can break after this major upgrade.
JsonNodevalues.pom.xml and the Java schema validation call sites
Important Files Changed
json-schema-validatorto a new major version that changes the Jackson type boundary used by validation code.Reviews (1): Last reviewed commit: "fix: pom.xml to reduce vulnerabilities" | Re-trigger Greptile
Context used (3)