[Snyk] Fix for 1 vulnerabilities

[snyk-io]

Snyk has created this PR to fix 1 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

• pom.xml

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score	Upgrade
	Allocation of Resources Without Limits or Throttling SNYK-JAVA-COMFASTERXMLJACKSONCORE-15365924	170	com.fasterxml.jackson.core:jackson-databind: 2.15.2 -> 2.18.6 com.fasterxml.jackson.dataformat:jackson-dataformat-yaml: 2.15.2 -> 2.18.6 No Path Found Proof of Concept

Breaking Change Risk

Notice: This assessment is enhanced by AI.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Allocation of Resources Without Limits or Throttling

[snyk-io]

This upgrade for jackson-databind and jackson-dataformat-yaml from version 2.15.2 to 2.18.6 is a series of minor updates that introduce new features, performance improvements, and some behavioral changes that require verification.

Key Changes:

• Stricter Number Deserialization (v2.17): Jackson no longer coerces JSON strings with leading zeros (e.g., "07") into numbers by default. [18] Applications relying on this lenient parsing for enums or numeric types may fail.
• Property Introspection Rewrite (v2.18): A significant internal rewrite of the property introspection logic was completed to fix long-standing bugs. [1] While beneficial, this has led to subtle behavioral changes and some regressions that were addressed in patch releases. For example, issues with @JsonCreator and Records were reported and fixed in patch versions included in this upgrade. [11]
• Kotlin Version Support (v2.18): For projects using jackson-module-kotlin, support for Kotlin 1.7.x has been dropped. Supported versions are now 1.8, 1.9, and 2.0. [7, 9]
• Security-related Default Change (v2.16): The default for StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION is now false to reduce information leakage in exceptions. [17]

Recommendation:

Given the stricter parsing rules and the major internal rewrite, it is recommended to perform thorough regression testing, paying close attention to deserialization logic, especially where lenient string-to-number conversion might have been implicitly used.

Source: Jackson 2.16 Release Notes, Jackson 2.17 Release Notes, Jackson 2.18 Release Notes

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.