[Snyk] Fix for 1 vulnerabilities

[snyk-io]

Snyk has created this PR to fix 1 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

• samples/server/petstore/jaxrs/jersey2-useTags/pom.xml

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score	Upgrade
	Allocation of Resources Without Limits or Throttling SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551	125	com.fasterxml.jackson.datatype:jackson-datatype-joda: 2.8.9 -> 2.21.2 com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider: 2.8.9 -> 2.21.2 No Path Found No Known Exploit

Breaking Change Risk

Notice: This assessment is enhanced by AI.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Allocation of Resources Without Limits or Throttling

[snyk-io]

This is a major version upgrade across multiple releases (2.8.9 → 2.21.2) for core Jackson components and introduces significant breaking changes, most notably requiring a Java runtime update.

Key Breaking Changes:

• Java 8 Required: The most critical change is the increase of the minimum Java version. Jackson 2.13 and later require Java 8, whereas version 2.8 was compatible with Java 7. Applications running on Java 7 will fail to start.

• JAX-RS Provider Changes (jackson-jaxrs-json-provider):

  • JAX-RS 1.x Support Dropped: Starting with version 2.13, support for JAX-RS 1.x implementations has been removed. You must be using a JAX-RS 2.x compatible implementation (like newer versions of Jersey or RESTEasy).
  • Javax vs. Jakarta Namespace: Version 2.13 introduced new provider modules for the jakarta.* namespace. Since you are upgrading jackson-jaxrs-json-provider, you are using the javax.* variant. Ensure your application server or framework has not migrated to the jakarta.* namespace, as that would require switching to the jackson-jakarta-rs-json-provider artifact.

• Core API & Behavior Changes:

  • Safe Default Typing (2.10+): To mitigate security vulnerabilities (CVEs), the mechanism for enabling global polymorphic deserialization (enableDefaultTyping) was replaced by a safer API (activateDefaultTyping). If you use default typing, you must update your ObjectMapper configuration.
  • Stricter Generics (2.10+): A source-incompatible change was introduced that makes generic type assignment for TypeReference stricter. Code that previously compiled may now fail with a compilation error if the generic types do not strictly match.

Recommendation:

1. Verify Java Version: Confirm your production environment is running on Java 8 or newer.
2. Review JAX-RS Usage: Ensure you are using a JAX-RS 2.x implementation and that your application still uses the javax.ws.rs package namespace.
3. Audit ObjectMapper Configuration: Search for usages of enableDefaultTyping and migrate to the new activateDefaultTyping API if it is in use.

Source: Jackson Project release notes for versions 2.9 through 2.21.

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.