Update jackson-databind to 2.13.4.1 at least in order to fix vulnerabilities CVE-2022-42004 and CVE-2022-42003

[marcyrasta]

Hello
The actual jackson-databind version is affected by CVE-2022-42004 and CVE-2022-42003

Please apply an upgrade to at least 2.13.4.1 in order to fix the vulnerabilities

[eiiches]

Thanks for the heads-up. I'll release a new version this week.
However, note that jackson-jq itself is not affected by these vulnerabilities because it doesn't use the UNWRAP_SINGLE_VALUE_ARRAYS feature.

[marcyrasta]

Thanks a lot, @eiiches
I have just read that jackson-jq-cli is not production ready .
is it due to the command line options that may change without notifications? or is it not reliable?

[marcyrasta]

@eiiches
The jackson-jq-cli seems to work fine !!!
So maybe it was flagged as not production-ready just because there are no notifications in case of options change.
I look forward to receiving your reply and thanks again for the incoming version with a recent jackson-databind

[eiiches]

@marcyrasta

Yes, it should work fine. It's just we don't expect users to run jackson-jq-cli on production servers or in any critical part of production services. It is provided only to help developers write, test and debug their jq scripts on their machines. And yes, the command line options may change without any deprecation phase or prior notice.

Hope this clarifies things for you :)

[eiiches]

Released https://github.com/eiiches/jackson-jq/releases/tag/1.0.0-preview.20230409

[marcyrasta]

The new version is not yet available in the Maven repository

[eiiches]

I think it just takes some time for a new release to become visible there. It's already available on the Central, so you should be able to download the release directly from this link or using the following Maven dependency tag:

<dependency>
    <groupId>net.thisptr</groupId>
    <artifactId>jackson-jq</artifactId>
    <version>1.0.0-preview.20230409</version>
</dependency>