From cd194fb768cd638d1b95880491c729957ffd76e8 Mon Sep 17 00:00:00 2001 From: joerg84 Date: Fri, 5 Jun 2026 16:52:24 -0400 Subject: [PATCH 1/3] fix(deps): bump jackson to 2.18.8 to fix CVE-2025-52999 (DoS) jackson-core 2.14.2 is vulnerable to CVE-2025-52999 (HIGH, CVSS 8.7): a StackOverflowError when parsing deeply nested JSON, enabling a remote DoS. The fix is jackson-core 2.15.0+, which adds StreamReadConstraints with a default nesting limit of 1000. - Bump jackson-core and jackson-databind 2.14.2 -> 2.18.8 (kept aligned). - shadowJar: exclude META-INF/versions/21/** from the (unpublished) fat jar. jackson-core 2.15+ is a multi-release JAR carrying Java 21 (class-file major 65) classes; the Shadow 8.1.1 plugin relocates com.fasterxml and its ASM cannot read major 65 ("Unsupported class file major version 65"). Dropping the JDK-21-only variants is safe: the base classes remain and multi-release fallback applies. This is the same shadowJar failure that blocks the dependabot bump in #217. Co-Authored-By: Claude Opus 4.8 --- build.gradle | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/build.gradle b/build.gradle index 1c055651..217f903c 100644 --- a/build.gradle +++ b/build.gradle @@ -47,8 +47,8 @@ dependencies { implementation 'com.google.api.grpc:proto-google-common-protos:2.14.3' implementation 'com.squareup.okhttp3:okhttp:4.12.0' implementation 'com.squareup.okhttp3:logging-interceptor:4.12.0' - implementation 'com.fasterxml.jackson.core:jackson-databind:2.14.2' - implementation 'com.fasterxml.jackson.core:jackson-core:2.14.2' + implementation 'com.fasterxml.jackson.core:jackson-databind:2.18.8' + implementation 'com.fasterxml.jackson.core:jackson-core:2.18.8' implementation 'com.google.code.gson:gson:2.9.1' implementation 'io.gsonfire:gson-fire:1.8.5' implementation 'org.openapitools:jackson-databind-nullable:0.2.6' @@ -60,7 +60,7 @@ dependencies { testImplementation "org.hamcrest:hamcrest:2.2" testImplementation 'org.mockito:mockito-inline:4.8.0' testImplementation 'org.slf4j:slf4j-simple:2.0.5' - testImplementation 'com.fasterxml.jackson.core:jackson-databind:2.14.2' + testImplementation 'com.fasterxml.jackson.core:jackson-databind:2.18.8' testImplementation 'org.junit.jupiter:junit-jupiter-api:5.8.0' testImplementation 'org.junit.platform:junit-platform-launcher:1.8.0' testRuntimeOnly 'org.junit.jupiter:junit-jupiter-engine:5.8.0' @@ -155,6 +155,12 @@ task integrationTest(type: Test) { import com.github.jengelman.gradle.plugins.shadow.transformers.ServiceFileTransformer shadowJar { + // jackson-core (2.15+) is a multi-release JAR that bundles Java 21 (class-file major 65) + // variants under META-INF/versions/21. The Shadow 8.1.1 plugin relocates com.fasterxml + // and its ASM cannot read major version 65, so it fails with + // "Unsupported class file major version 65". These are JDK-21-only optimizations; dropping + // them is safe because the base (Java 8) classes remain and multi-release fallback applies. + exclude 'META-INF/versions/21/**' relocate 'io.grpc', 'io.pinecone.shadow.io.grpc' relocate 'com.google', 'io.pinecone.shadow.com.google' relocate 'org.slf4j', 'io.pinecone.shadow.org.slf4j' From fa2fb7f21e15fb09a70d76382174832b9242c867 Mon Sep 17 00:00:00 2001 From: joerg84 Date: Fri, 5 Jun 2026 17:31:58 -0400 Subject: [PATCH 2/3] chore(deps): use latest jackson 2.x (2.22.0) per review Bump jackson-core/databind 2.18.8 -> 2.22.0 (latest 2.x) per review feedback on #221. 2.22.0 is still Java 8 compatible and has the same multi-release profile (Java 21 classes under META-INF/versions/21), so the existing shadowJar exclude is unchanged. jackson 3.x is not an option: it uses new coordinates (tools.jackson.*) and requires Java 17, while this client targets Java 8. Co-Authored-By: Claude Opus 4.8 --- build.gradle | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/build.gradle b/build.gradle index 217f903c..ceb15dba 100644 --- a/build.gradle +++ b/build.gradle @@ -47,8 +47,8 @@ dependencies { implementation 'com.google.api.grpc:proto-google-common-protos:2.14.3' implementation 'com.squareup.okhttp3:okhttp:4.12.0' implementation 'com.squareup.okhttp3:logging-interceptor:4.12.0' - implementation 'com.fasterxml.jackson.core:jackson-databind:2.18.8' - implementation 'com.fasterxml.jackson.core:jackson-core:2.18.8' + implementation 'com.fasterxml.jackson.core:jackson-databind:2.22.0' + implementation 'com.fasterxml.jackson.core:jackson-core:2.22.0' implementation 'com.google.code.gson:gson:2.9.1' implementation 'io.gsonfire:gson-fire:1.8.5' implementation 'org.openapitools:jackson-databind-nullable:0.2.6' @@ -60,7 +60,7 @@ dependencies { testImplementation "org.hamcrest:hamcrest:2.2" testImplementation 'org.mockito:mockito-inline:4.8.0' testImplementation 'org.slf4j:slf4j-simple:2.0.5' - testImplementation 'com.fasterxml.jackson.core:jackson-databind:2.18.8' + testImplementation 'com.fasterxml.jackson.core:jackson-databind:2.22.0' testImplementation 'org.junit.jupiter:junit-jupiter-api:5.8.0' testImplementation 'org.junit.platform:junit-platform-launcher:1.8.0' testRuntimeOnly 'org.junit.jupiter:junit-jupiter-engine:5.8.0' From ed1ef40f872546bdcd965bc1a8b2d1f2fc8106e4 Mon Sep 17 00:00:00 2001 From: joerg84 Date: Fri, 5 Jun 2026 17:34:03 -0400 Subject: [PATCH 3/3] chore(deps): use jackson 2.21 LTS (2.21.4) instead of non-LTS 2.22 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Per review: 2.22 is not a long-term-support branch, while 2.21 is an LTS release (~2-year support window with security backports) — a better fit for a published client library. 2.21.4 is Java 8 compatible with the same multi-release profile, so the shadowJar exclude is unchanged. Co-Authored-By: Claude Opus 4.8 --- build.gradle | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/build.gradle b/build.gradle index ceb15dba..031b6733 100644 --- a/build.gradle +++ b/build.gradle @@ -47,8 +47,8 @@ dependencies { implementation 'com.google.api.grpc:proto-google-common-protos:2.14.3' implementation 'com.squareup.okhttp3:okhttp:4.12.0' implementation 'com.squareup.okhttp3:logging-interceptor:4.12.0' - implementation 'com.fasterxml.jackson.core:jackson-databind:2.22.0' - implementation 'com.fasterxml.jackson.core:jackson-core:2.22.0' + implementation 'com.fasterxml.jackson.core:jackson-databind:2.21.4' + implementation 'com.fasterxml.jackson.core:jackson-core:2.21.4' implementation 'com.google.code.gson:gson:2.9.1' implementation 'io.gsonfire:gson-fire:1.8.5' implementation 'org.openapitools:jackson-databind-nullable:0.2.6' @@ -60,7 +60,7 @@ dependencies { testImplementation "org.hamcrest:hamcrest:2.2" testImplementation 'org.mockito:mockito-inline:4.8.0' testImplementation 'org.slf4j:slf4j-simple:2.0.5' - testImplementation 'com.fasterxml.jackson.core:jackson-databind:2.22.0' + testImplementation 'com.fasterxml.jackson.core:jackson-databind:2.21.4' testImplementation 'org.junit.jupiter:junit-jupiter-api:5.8.0' testImplementation 'org.junit.platform:junit-platform-launcher:1.8.0' testRuntimeOnly 'org.junit.jupiter:junit-jupiter-engine:5.8.0'