[Snyk] Fix for 1 vulnerabilities

[snyk-io]

Snyk has created this PR to fix 1 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

• samples/server/petstore/java-msf4j/pom.xml

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score	Upgrade
	Allocation of Resources Without Limits or Throttling SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551	125	com.fasterxml.jackson.datatype:jackson-datatype-joda: 2.10.1 -> 2.21.2 No Path Found No Known Exploit

Breaking Change Risk

Notice: This assessment is enhanced by AI.

Vulnerabilities that could not be fixed

• Upgrade:
  • Could not upgrade org.wso2.msf4j:msf4j-core@2.0.0 to org.wso2.msf4j:msf4j-core@2.1.0; Reason could not apply upgrade, dependency is managed externally ; Location: https://maven-central.storage-download.googleapis.com/maven2/org/wso2/msf4j/msf4j-service/2.0.0/msf4j-service-2.0.0.pom

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Allocation of Resources Without Limits or Throttling

[snyk-io]

This update includes a significant version jump for jackson-datatype-joda which raises the minimum Java version requirement and introduces new processing limits. The msf4j-core upgrade is a minor release with bug fixes.

com.fasterxml.jackson.datatype:jackson-datatype-joda@2.10.1 → 2.21.2

Risk: Medium

This upgrade spans multiple Jackson releases and introduces notable changes, primarily from its core dependencies (jackson-core and jackson-databind).

Breaking Changes & Key Updates:

• Java Version Requirement: Jackson 2.13 and later require Java 8 as the minimum runtime version. The previous baseline was Java 7. This is the most critical change and requires environment verification.
• New Processing Limits: To address potential DoS attacks, Jackson 2.15 introduced StreamReadConstraints, which limits the maximum nesting depth of JSON structures (default: 1000 levels). Applications processing very large or deeply nested documents may need to adjust these constraints.
• Stricter Parsing Behavior:
  • As of 2.17, JSON strings with leading zeros (e.g., "07") are no longer automatically converted to numbers, which may affect enum deserialization.
  • As of 2.13, JSON null is no longer coerced into the Java String "null" when reading a Type ID, which is a correctness fix that could break code relying on the old behavior.
• Dependency Updates: The upgrade includes updates to transitive dependencies like SnakeYAML, which may have their own breaking changes if you use the YAML data format.

Recommendation:
Verify that your project's runtime environment is Java 8 or higher. It is also recommended to test deserialization logic, especially for complex/nested JSON objects and enums, to ensure compatibility with the new processing limits and stricter parsing rules.

*Source: Jackson 2.13 Release Notes, Jackson 2.14 Release Notes, Jackson 2.15 Release Notes, Jackson 2.17 Release Notes

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.