Hi There,
I understand that it's not possible to upgrade to Jackson 3 due to compatibility issues with older Gradle versions.
However, the current used Version (2.14.2) of Jackson has a few pretty urgent security violations.
I understand, that this does not directly affect the security of applications that use the plugins, however there are two aspects worth considering:
- Many applications are built on public CI runners such as "Github-hosted runners" for Github Actions. There it's not clear, what else is on these machines and how hardened they are. So security at build time does actually matter.
- Gradle offers the Dependency Submission Github action that reports all dependencies to github's dependabot. This plugin also reports build time dependencies.
In an enterprise context, these security findings are often monitored and mitigation is mandatory (such is my case).
Therefore, I would really appreciate to upgrade at least to the latest patched version of Jackson 2.
Hi There,
I understand that it's not possible to upgrade to Jackson 3 due to compatibility issues with older Gradle versions.
However, the current used Version (2.14.2) of Jackson has a few pretty urgent security violations.
I understand, that this does not directly affect the security of applications that use the plugins, however there are two aspects worth considering:
In an enterprise context, these security findings are often monitored and mitigation is mandatory (such is my case).
Therefore, I would really appreciate to upgrade at least to the latest patched version of Jackson 2.