Skip to content

fix(deps): Bump vulnerable dependencies to address CVEs#455

Merged
thehungryturnip merged 1 commit into
masterfrom
fix/bump-vulnerable-dependencies
Jul 8, 2026
Merged

fix(deps): Bump vulnerable dependencies to address CVEs#455
thehungryturnip merged 1 commit into
masterfrom
fix/bump-vulnerable-dependencies

Conversation

@thehungryturnip

Copy link
Copy Markdown
Contributor

Bumps multiple dependencies to fix 18 CVEs (1 Critical, 10 High, 7 Medium) reported via Snyk scan against v2.2.4.

Runtime dependency bumps:

Dependency Old New CVEs Fixed
jackson-* 2.14.1 2.17.2 4 High (DoS, buffer overflow, resource exhaustion)
commons-lang3 3.9 3.14.0 1 High (uncontrolled recursion)
aws-java-sdk-core 1.12.367 1.12.770 1 High (ion-java resource exhaustion)
aws-java-sdk-sts/kms 1.12.368 1.12.770 aligned with core
aws-lambda-java-log4j2 1.5.1 1.6.0 2 High (encoding/escaping via log4j-core)
aws-encryption-sdk-java 2.2.0 2.4.1 3 Medium (bouncycastle)

Build-time dependency bumps:

Dependency Old New CVEs Fixed
spotless-maven-plugin 2.28.0 2.40.0 2 High (jgit CVEs)

Jackson 2.17 compatibility

  • Replaced deprecated getCurrentLocation()currentLocation() and getCurrentName()currentName()
  • Re-enabled StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION to preserve existing error message format

Testing

  • All 396 unit tests pass ✅
  • mvn verify passes (compile + tests + spotbugs + checkstyle + spotless + jacoco)

Closes #438

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Bump jackson 2.14.1→2.17.2 (4 High CVEs), commons-lang3 3.9→3.14.0
(1 High), aws-java-sdk-core/sts/kms 1.12.367→1.12.770 (1 High via
ion-java), aws-lambda-java-log4j2 1.5.1→1.6.0 (2 High),
aws-encryption-sdk-java 2.2.0→2.4.1 (3 Medium via bouncycastle),
spotless-maven-plugin 2.28.0→2.40.0 (2 High via jgit, build-time).

Also fixes Jackson 2.17 deprecations (getCurrentLocation→currentLocation,
getCurrentName→currentName) and re-enables INCLUDE_SOURCE_IN_LOCATION
to preserve existing error message format for customers.

Closes #438
@thehungryturnip thehungryturnip merged commit 3ae497f into master Jul 8, 2026
7 checks passed
@thehungryturnip thehungryturnip deleted the fix/bump-vulnerable-dependencies branch July 8, 2026 18:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

aws-cloudformation-rpdk-java-plugin has dependencies with high severity vulnerabilities

3 participants