+1 for 1.11.2 IMO Jackson could be upgraded to 2.13.x only for 1.12.0. 2.12.7 is not affected by the CVEs
On Fri, Nov 4, 2022, 20:07 Ryan Skraba <[email protected]> wrote: > It looks like there's been a couple of CVE fixes in dependencies that > we might want to have! See AVRO-3656, and perhaps AVRO-3658 (not yet > merged, bumping to jackson 2.13, which might have breaking changes). > > We've been cherry-picking pretty nicely so the branch is in a pretty > good state, with just a few Unresolved issues (mostly with existing > PRs that need some committer attention!) that have been marked for > 1.11.2 > > What do you think? > > Ryan > > [1] > https://issues.apache.org/jira/issues/?jql=project%20%3D%20AVRO%20AND%20fixVersion%20%3D%201.11.2%20%20AND%20status%20!%3D%20Resolved >
