[Snyk] Security upgrade com.fasterxml.jackson.core:jackson-databind from 2.15.3 to 2.18.6

[sajith-subramanian]

Snyk has created this PR to fix 1 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

• sdkmanager/pom.xml

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score	Upgrade
	Allocation of Resources Without Limits or Throttling SNYK-JAVA-COMFASTERXMLJACKSONCORE-15365924	170	com.fasterxml.jackson.core:jackson-databind: 2.15.3 -> 2.18.6 No Path Found Proof of Concept

Breaking Change Risk

Notice: This assessment is enhanced by AI.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Allocation of Resources Without Limits or Throttling

[sajith-subramanian]

This upgrade from Jackson Databind 2.15.3 to 2.18.6 is a minor version update that introduces several behavioral changes and an environment dependency update that require verification.

Key Changes:

• Stricter Number Deserialization (v2.17+): JSON strings with leading zeros (e.g., "07") are no longer automatically converted to numbers. This was a behavioral change to enforce stricter parsing.
• Kotlin Version Support (v2.18+): Support for Kotlin version 1.7.x has been dropped. Projects using the Jackson Kotlin module must be on Kotlin 1.8, 1.9, or 2.0.
• Behavioral Changes from Bug Fixes (v2.18): Several bug fixes have resulted in behavior changes between versions 2.17 and 2.18, particularly around deserialization with @JsonCreator and @ConstructorProperties.
• Security Default Change (v2.16+): For improved security against information leakage, the default for StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION was changed to false.

Recommendation:

• Verify Deserialization: Test application logic that relies on lenient parsing of numbers from strings.
• Kotlin Users: Ensure your project's Kotlin version is 1.8 or higher before upgrading.
• Review Tests: Pay close attention to tests related to custom object creation and deserialization, as behavior may have changed due to bug fixes.

Source: Jackson 2.16 Release Notes, Jackson 2.17 Release Notes, Jackson 2.18 Release Notes

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[Copilot]

Pull request overview

Updates the sdkmanager module’s Jackson dependency version to remediate a reported Snyk vulnerability in com.fasterxml.jackson.core:jackson-databind.

Changes:

• Bump jackson.version in sdkmanager/pom.xml from 2.15.3 to 2.18.6.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

sdkmanager now upgrades jackson.version to 2.18.6, but datamanagement/pom.xml still pins its own jackson.version to 2.15.3 for jackson-datatype-jsr310. This can lead to mixed Jackson artifacts (and potentially reintroduce the vulnerable version via dependency resolution) when consumers depend on both modules. Consider aligning all Jackson artifacts across the repo (e.g., bump datamanagement’s jackson.version too, or manage Jackson versions via a shared parent/BOM).