From 8486da5ded005063f54b2112f8e34a2e0014f647 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rados=C5=82aw=20Stankiewicz?= Date: Thu, 26 Mar 2026 16:34:34 +0100 Subject: [PATCH 1/2] Bump jackson_version - Fix GHSA-72hv-8253-57qq jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition --- .../main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy b/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy index e24ff6004940..e4494c48930a 100644 --- a/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy +++ b/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy @@ -623,7 +623,7 @@ class BeamModulePlugin implements Plugin { def httpclient_version = "4.5.13" def httpcore_version = "4.4.14" def iceberg_bqms_catalog_version = "1.6.1-1.0.1" - def jackson_version = "2.15.4" + def jackson_version = "2.18.6" def jaxb_api_version = "2.3.3" def jsr305_version = "3.0.2" def everit_json_version = "1.14.2" From d8658e80c76a664b23e0aeb3b1a04306f24acc5e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rados=C5=82aw=20Stankiewicz?= Date: Thu, 26 Mar 2026 16:39:14 +0100 Subject: [PATCH 2/2] Update dep_urls_java.yaml --- sdks/java/container/license_scripts/dep_urls_java.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdks/java/container/license_scripts/dep_urls_java.yaml b/sdks/java/container/license_scripts/dep_urls_java.yaml index 88ff5e610230..995658eb3864 100644 --- a/sdks/java/container/license_scripts/dep_urls_java.yaml +++ b/sdks/java/container/license_scripts/dep_urls_java.yaml @@ -58,7 +58,7 @@ xz: '1.5': # The original repo is down. This license is taken from https://tukaani.org/xz/java.html. license: "file://{}/xz/COPYING" jackson-bom: - '2.15.4': + '2.18.6': license: "https://raw.githubusercontent.com/FasterXML/jackson-bom/master/LICENSE" type: "Apache License 2.0" org.eclipse.jgit: