deps(maven): bump jackson-bom from 2.14.2 to 2.15.0 #12526
Conversation
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=60&v=4){kind=small}
dependabot
bot
added
the
dependencies
Bumps [jackson-bom](https://github.com/FasterXML/jackson-bom) from 2.14.2 to 2.15.0. - [Release notes](https://github.com/FasterXML/jackson-bom/releases) - [Commits](FasterXML/jackson-bom@jackson-bom-2.14.2...jackson-bom-2.15.0) --- updated-dependencies: - dependency-name: com.fasterxml.jackson:jackson-bom dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
dependabot
bot
force-pushed
the
dependabot/maven/main/com.fasterxml.jackson-jackson-bom-2.15.0
branch
from
035ccaf to
8db064c
Compare
|
It seems there's a default maximum constraint to string lengths in the convert with this update, of up to 5,000,000, added here: FasterXML/jackson-core#863 It seems in fact that the whole For backwards compatibility, we could of course set maximum limits, but as this was introduced for security purposes (specifically
The failing test is trying to set up a 10M variable. If we would like to support this, then we would have to make sure everywhere we use Jackson for such things, we'd need to allow tokens up to the This is easy to do for client side incoming messages, but a bit harder on the broker side for things like when converting decision outputs from message pack to JSON - what's the max message size there? We can use the default broker one, I guess 🤷 In that case, we can't use a static converter anymore, but instead it must be injected/passed around with configuration from the broker =/ Of course, another simpler approach (but one prone to the CVE I guess) would be to set a fairly high limit. However, as we don't limit our own message size, a user could always put something higher (unless we put, say, |
|
The other option is assume our max message size sufficiently truncates things, and we simply don't worry about setting limits here. That leaves a possible OOM due to converting accumulated state from RocksDB, I suppose, but we're likely to run out of memory just holding it anyway, so perhaps we can simply set high limits here. |
|
I think the solution will be to simply set no limit. As we never stream JSON, but rather we always have the complete payload already in memory, so an attacker wishing to DoS us via this vector would already be able to do this way before it hits the JSON parser. |
|
Build succeeded: |
ghost
deleted the
dependabot/maven/main/com.fasterxml.jackson-jackson-bom-2.15.0
branch
* feat(variables): extend variables endpoint with filters * remove comment * josh's feedback * spotless * small readability adjustment * Update backend/src/it/java/org/camunda/optimize/service/db/es/retrieval/variable/ProcessVariableNameIT.java Co-authored-by: Josh Windels <[email protected]> * Update backend/src/it/java/org/camunda/optimize/service/db/es/retrieval/variable/ProcessVariableNameIT.java Co-authored-by: Josh Windels <[email protected]> * josh's feedback - wip * josh's feedback 2 - wip * josh's feedback 3 - wip * adjusting last IT * spotless * feat(variables api): update FE calls to updated endpoint (#12526) * feat(variables api): update FE calls to updated endpoint related to #12415 * add missing filter --------- Co-authored-by: Josh Windels <[email protected]> Co-authored-by: Michał Konopski <[email protected]>
Bumps jackson-bom from 2.14.2 to 2.15.0.
Commits
2c28e23[maven-release-plugin] prepare release jackson-bom-2.15.035c5c4fPrepare for 2.15.0 release3fc3624Back to snapshot deps246b73c[maven-release-plugin] prepare for next development iterationc2b35ab[maven-release-plugin] prepare release jackson-bom-2.15.0-rc3814d8f5Prepare for 2.15.0-rc3 release365ee6aBack to snapshot deps2ff14f1[maven-release-plugin] prepare for next development iteration78c68bc[maven-release-plugin] prepare release jackson-bom-2.15.0-rc29f26bd4Prepare for 2.15.0-rc2Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)