Maintenance: Using vulnerable Jackson version

[barnabycollins]

Expected Behaviour

Use of the latest version of powertools does not raise a Dependabot security vulnerability

Current Behaviour

Use of the latest version of powertools results in the following Dependabot security notification related to the transitive jackson-core dependency, with High severity:

Code snippet

N/A

Possible Solution

Apologies, I wasn't sure which template to use here but hopefully the bug template is most appropriate.

There is a Dependabot PR on your repository that would fix the issue here, though CI is currently failing: #2403

Steps to Reproduce

1. Use the latest version of a relevant Powertools library in a project with Dependabot security alerts enabled
2. Observe the security alert raised against the project

Powertools for AWS Lambda (Java) version

2.9.0

AWS Lambda function runtime

Java 17

Debugging logs

[phipag]

Hi @barnabycollins,

thanks for bringing this up. I indeed need to debug some of the CI failures we have from dependabot PRs. Currently, we are facing some changes from upstream which are breaking our CI for two reasons:

• Incompatibility with Java 11
• Breaking GraalVM native tests (this is the case for the one you reported).

I need to dive into why it fails and will update you here.

[phipag]

Hey @barnabycollins again. I created a follow-up issue here with some initial thoughts about what could be the root-cause for this problem: #2416.

I pinned the graalvm version for now such that CI passes and we can unblock you and merge the dependency bump.