From a394b2cdf7286cb5e2ba6269c6eacee9c626ef2e Mon Sep 17 00:00:00 2001
From: PJ Fanning <pjfanning@users.noreply.github.com>
Date: Fri, 8 Apr 2022 08:17:14 +0200
Subject: [PATCH] Upgrade jackson 2.13 version due to CVE (#31281)

* Upgrade jackson 2.13 version due to CVE
* v2.13.2.2 fixes small issue in jackson bom
---
 project/Dependencies.scala | 26 +++++++++++++++++---------
 1 file changed, 17 insertions(+), 9 deletions(-)

diff --git a/project/Dependencies.scala b/project/Dependencies.scala
index daa2849efb..ed3369f133 100644
--- a/project/Dependencies.scala
+++ b/project/Dependencies.scala
@@ -25,7 +25,7 @@ object Dependencies {
   val protobufJavaVersion = "3.16.1"
   val logbackVersion = "1.2.11"
 
-  val jacksonVersion = Def.setting {
+  val jacksonCoreVersion = Def.setting {
     if (scalaVersion.value.startsWith("3.")) {
       "2.13.2"
     } else {
@@ -33,6 +33,14 @@ object Dependencies {
     }
   }
 
+  val jacksonDatabindVersion = Def.setting {
+    if (scalaVersion.value.startsWith("3.")) {
+      "2.13.2.2"
+    } else {
+      jacksonCoreVersion.value
+    }
+  }
+
   val scala212Version = "2.12.15"
   val scala213Version = "2.13.8"
   // To get the fix for https://github.com/lampepfl/dotty/issues/13106
@@ -120,28 +128,28 @@ object Dependencies {
     val asnOne = ("com.hierynomus" % "asn-one" % "0.5.0").exclude("org.slf4j", "slf4j-api") // ApacheV2
 
     val jacksonCore = Def.setting {
-      "com.fasterxml.jackson.core" % "jackson-core" % jacksonVersion.value
+      "com.fasterxml.jackson.core" % "jackson-core" % jacksonCoreVersion.value
     } // ApacheV2
     val jacksonAnnotations = Def.setting {
-      "com.fasterxml.jackson.core" % "jackson-annotations" % jacksonVersion.value
+      "com.fasterxml.jackson.core" % "jackson-annotations" % jacksonCoreVersion.value
     } // ApacheV2
     val jacksonDatabind = Def.setting {
-      "com.fasterxml.jackson.core" % "jackson-databind" % jacksonVersion.value
+      "com.fasterxml.jackson.core" % "jackson-databind" % jacksonDatabindVersion.value
     } // ApacheV2
     val jacksonJdk8 = Def.setting {
-      "com.fasterxml.jackson.datatype" % "jackson-datatype-jdk8" % jacksonVersion.value
+      "com.fasterxml.jackson.datatype" % "jackson-datatype-jdk8" % jacksonCoreVersion.value
     } // ApacheV2
     val jacksonJsr310 = Def.setting {
-      "com.fasterxml.jackson.datatype" % "jackson-datatype-jsr310" % jacksonVersion.value
+      "com.fasterxml.jackson.datatype" % "jackson-datatype-jsr310" % jacksonCoreVersion.value
     } // ApacheV2
     val jacksonScala = Def.setting {
-      "com.fasterxml.jackson.module" %% "jackson-module-scala" % jacksonVersion.value
+      "com.fasterxml.jackson.module" %% "jackson-module-scala" % jacksonCoreVersion.value
     } // ApacheV2
     val jacksonParameterNames = Def.setting {
-      "com.fasterxml.jackson.module" % "jackson-module-parameter-names" % jacksonVersion.value
+      "com.fasterxml.jackson.module" % "jackson-module-parameter-names" % jacksonCoreVersion.value
     } // ApacheV2
     val jacksonCbor = Def.setting {
-      "com.fasterxml.jackson.dataformat" % "jackson-dataformat-cbor" % jacksonVersion.value
+      "com.fasterxml.jackson.dataformat" % "jackson-dataformat-cbor" % jacksonCoreVersion.value
     } // ApacheV2
     val lz4Java = "org.lz4" % "lz4-java" % "1.8.0" // ApacheV2