[Snyk] Fix for 1 vulnerabilities

[snyk-io]

Snyk has created this PR to fix 1 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

• samples/client/petstore/java/feign/pom.xml

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score	Upgrade
	Allocation of Resources Without Limits or Throttling SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551	125	com.fasterxml.jackson.core:jackson-core: 2.10.1 -> 2.21.2 com.fasterxml.jackson.core:jackson-databind: 2.10.1 -> 2.21.2 No Path Found No Known Exploit

Breaking Change Risk

Notice: This assessment is enhanced by AI.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Allocation of Resources Without Limits or Throttling

[snyk-io]

This upgrade from Jackson 2.10.1 to 2.21.2 is a major update that spans multiple releases and introduces several significant breaking changes, including a higher Java baseline and the migration from Javax to Jakarta namespaces.

Key Breaking Changes:

• Java Version Requirement: The minimum Java version has been increased. As of version 2.13, jackson-databind requires Java 8, and as of 2.14, jackson-core also requires Java 8. Projects still on Java 7 will need to upgrade their JDK.

• Javax to Jakarta Namespace Migration: Starting with version 2.13, Jackson introduced new modules with the -jakarta suffix to support applications using Jakarta EE (e.g., Spring Boot 3, newer versions of Jakarta EE). If your application uses modules like JAXB or JAX-RS, you will need to update your dependencies to the corresponding Jakarta-variant.

• Annotation Behavior Change: In version 2.14, the handling of conflicting annotations was changed. @JsonIgnore now takes precedence over @JsonProperty. This could alter serialization or deserialization behavior for models where both annotations were used on the same property.

• New Processing Limits: To mitigate potential Denial of Service (DoS) attacks, version 2.15 introduced default limits on maximum string length, number length, and JSON nesting depth. While this improves security, it could cause exceptions in applications that process unusually large but valid JSON structures.

• Source Incompatibility in TypeReference: A change in version 2.10 made generic type handling for TypeReference more strict. While binary-compatible (existing compiled code works), it is not source-compatible, which may cause compilation failures in certain scenarios involving subtypes of generic collections.

Recommendation:

Given the number of breaking changes, this upgrade requires careful testing. Pay special attention to:

1. Ensuring your project uses Java 8 or newer.
2. Updating any javax.* related Jackson modules to their jakarta.* counterparts if applicable.
3. Verifying the behavior of models that use conflicting @JsonIgnore and @JsonProperty annotations.

Source: Jackson 2.11, 2.13, 2.14, and 2.15 release notes.

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.