Skip to content

PP-15351 Override dependencies#4227

Merged
kbottla merged 1 commit into
masterfrom
pp_15351_override_dependencies
May 8, 2026
Merged

PP-15351 Override dependencies#4227
kbottla merged 1 commit into
masterfrom
pp_15351_override_dependencies

Conversation

@kbottla
Copy link
Copy Markdown
Contributor

@kbottla kbottla commented May 7, 2026
edited
Loading

WHAT

  • Overrides Jetty and Jackson dependencies due to vulnerable transitive dependencies, and the Dropwizard release with the latest versions of these libraries may take a while.
  • Added BOM instead of overriding specific vulnerable dependencies to ensure all modules in the group are aligned to the overridden version.
➜  pay-ledger git:(pp_15351_override_dependencies) mvn dependency:tree | grep "jetty-"
[INFO] |  |  \- org.eclipse.jetty:jetty-io:jar:12.1.8:compile
[INFO] |  |  \- org.eclipse.jetty:jetty-http:jar:12.1.8:compile
[INFO] |  +- org.eclipse.jetty:jetty-security:jar:12.1.8:compile
[INFO] |  +- org.eclipse.jetty:jetty-server:jar:12.1.8:compile
[INFO] |  +- org.eclipse.jetty.ee10:jetty-ee10-servlet:jar:12.1.5:compile
[INFO] |  |  \- org.eclipse.jetty:jetty-session:jar:12.1.8:compile
[INFO] |  +- org.eclipse.jetty:jetty-util:jar:12.1.8:compile
[INFO] |  +- org.eclipse.jetty.toolchain.setuid:jetty-setuid-jna:jar:2.0.3:compile

➜  pay-ledger git:(pp_15351_override_dependencies) mvn dependency:tree | grep "fasterxml"
[INFO] |  |  +- com.fasterxml.jackson.datatype:jackson-datatype-guava:jar:2.21.3:compile
[INFO] |  |  +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.21.3:compile
[INFO] |  |  +- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.21.3:compile
[INFO] |  |  \- com.fasterxml.jackson.module:jackson-module-blackbird:jar:2.21.3:compile
[INFO] |  |  +- com.fasterxml:classmate:jar:1.7.3:compile
[INFO] |  |  +- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.21.3:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.21:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.21.3:compile
[INFO] +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.21.3:compile
[INFO] +- com.fasterxml.jackson.core:jackson-core:jar:2.21.3:compile
[INFO] +- com.fasterxml.jackson.dataformat:jackson-dataformat-csv:jar:2.21.3:compile
[INFO] |  +- com.fasterxml.jackson.jakarta.rs:jackson-jakarta-rs-json-provider:jar:2.21.3:compile
[INFO] |  |  +- com.fasterxml.jackson.jakarta.rs:jackson-jakarta-rs-base:jar:2.21.3:compile
[INFO] |  |  \- com.fasterxml.jackson.module:jackson-module-jakarta-xmlbind-annotations:jar:2.21.3:compile

alexbishop1
alexbishop1 requested changes May 7, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@alexbishop1 alexbishop1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BOMs are definitely the way to go here.

Comment thread pom.xml Outdated
@kbottla
PP-15351 Override dependencies
66fccbc 
- Overrides Jetty and Jackson dependencies due to vulnerable transitive dependencies, and the Dropwizard release with the latest versions of these libraries may take a while.
- Added BOM instead of overriding specific vulnerable dependencies to ensure all modules in the group are aligned to compatible versions.
@kbottla kbottla force-pushed the pp_15351_override_dependencies branch from 87ee0f6 to 66fccbc Compare May 7, 2026 15:41
@kbottla kbottla merged commit 21d1aa8 into master May 8, 2026
8 checks passed
@kbottla kbottla deleted the pp_15351_override_dependencies branch May 8, 2026 07:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alexbishop1 alexbishop1 alexbishop1 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kbottla @alexbishop1