From 1e4ebd03ae61baae7ae9abf1aee49ace46941a27 Mon Sep 17 00:00:00 2001
From: Julian Ladisch <julianladisch@users.noreply.github.com>
Date: Sun, 5 May 2024 16:38:31 +0200
Subject: [PATCH] MODINVOSTO-181: Unpin jackson fixing Number Parse DoS
 (PRISMA-2023-0067)

https://folio-org.atlassian.net/browse/MODINVOSTO-181

jackson-core package versions before 2.15.0 are vulnerable to Denial of Service (DoS): https://github.com/FasterXML/jackson-core/pull/827

mod-invoice-storage pins the jackson version to 2.13.4. This effectively downgrades the jackson version provided by RMB (domain-models-runtime, domain-models-api-interfaces) from 2.16.1 to 2.13.4.

Fix: Unpin jackson.
---
 pom.xml | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/pom.xml b/pom.xml
index 3a7e4d61..9f302ded 100644
--- a/pom.xml
+++ b/pom.xml
@@ -25,7 +25,6 @@
 
     <!--Dependency Management Properties-->
     <vertx.version>4.5.4</vertx.version>
-    <jackson-bom.version>2.13.4</jackson-bom.version>
     <log4j.version>2.23.0</log4j.version>
 
     <!--Dependency properties-->
@@ -66,13 +65,6 @@
 
   <dependencyManagement>
     <dependencies>
-      <dependency>
-        <groupId>com.fasterxml.jackson</groupId>
-        <artifactId>jackson-bom</artifactId>
-        <version>${jackson-bom.version}</version>
-        <type>pom</type>
-        <scope>import</scope>
-      </dependency>
       <dependency>
         <groupId>org.junit</groupId>
         <artifactId>junit-bom</artifactId>