fix: patch security alerts — bump Jackson and constrain vulnerable transitive deps (#119)

jkennedyvz · claude · web-flow · commit dfe092c51ab2 · 2026-03-30T17:52:49.000-07:00
Bumps Jackson 2.18.2→2.18.6 in published api deps and adds version constraints for vulnerable transitive dependencies in test and example scopes (Tomcat 9.0.115, Jetty 9.4.57, logback 1.2.13, commons-fileupload 1.6.0, commons-io 2.14.0, json-smart 2.4.9, snakeyaml 1.31, spring-web 5.3.34). Addresses alerts: #75 (jackson-core), #82/#81/#80/#79/#78/#72/#70/#69 /#68/#66/#65/#60/#59/#54/#52/#51/#48/#46/#45/#44/#43/#35/#34/#29/#31 (tomcat/jetty/logback/commons). Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
diff --git a/langsmith-java-core/build.gradle.kts b/langsmith-java-core/build.gradle.kts
@@ -35,14 +35,14 @@ configurations.all {
 }
 
 dependencies {
-    api("com.fasterxml.jackson.core:jackson-core:2.18.2")
-    api("com.fasterxml.jackson.core:jackson-databind:2.18.2")
+    api("com.fasterxml.jackson.core:jackson-core:2.18.6")
+    api("com.fasterxml.jackson.core:jackson-databind:2.18.6")
     api("com.google.errorprone:error_prone_annotations:2.33.0")
 
-    implementation("com.fasterxml.jackson.core:jackson-annotations:2.18.2")
-    implementation("com.fasterxml.jackson.datatype:jackson-datatype-jdk8:2.18.2")
-    implementation("com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.18.2")
-    implementation("com.fasterxml.jackson.module:jackson-module-kotlin:2.18.2")
+    implementation("com.fasterxml.jackson.core:jackson-annotations:2.18.6")
+    implementation("com.fasterxml.jackson.datatype:jackson-datatype-jdk8:2.18.6")
+    implementation("com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.18.6")
+    implementation("com.fasterxml.jackson.module:jackson-module-kotlin:2.18.6")
     implementation("org.apache.httpcomponents.core5:httpcore5:5.2.4")
     implementation("org.apache.httpcomponents.client5:httpclient5:5.3.1")
 
@@ -66,6 +66,24 @@ dependencies {
     compileOnly("com.anthropic:anthropic-java:2.18.0")
     testImplementation("com.anthropic:anthropic-java:2.18.0")
 
+    // Security: constrain vulnerable transitive test dependencies (from wiremock-jre8).
+    // These constraints apply to the test scope only and do not affect published artifacts.
+    constraints {
+        // CVE-2024-13009, CVE-2025-5115, CVE-2024-22201, CVE-2023-36478
+        testImplementation("org.eclipse.jetty:jetty-server") { version { require("9.4.57.v20241219") } }
+        testImplementation("org.eclipse.jetty.http2:http2-common") { version { require("9.4.57.v20241219") } }
+        testImplementation("org.eclipse.jetty.http2:http2-hpack") { version { require("9.4.57.v20241219") } }
+        // CVE-2023-6481, CVE-2023-6378
+        testImplementation("ch.qos.logback:logback-core") { version { require("1.2.13") } }
+        testImplementation("ch.qos.logback:logback-classic") { version { require("1.2.13") } }
+        // CVE-2025-48976, CVE-2023-24998
+        testImplementation("commons-fileupload:commons-fileupload") { version { require("1.6.0") } }
+        // CVE-2024-47554
+        testImplementation("commons-io:commons-io") { version { require("2.14.0") } }
+        // CVE-2023-1370
+        testImplementation("net.minidev:json-smart") { version { require("2.4.9") } }
+    }
+
     testImplementation(kotlin("test"))
     // Simple logging for tests only
     testImplementation("org.slf4j:slf4j-simple:2.0.17")
diff --git a/langsmith-java-example/build.gradle.kts b/langsmith-java-example/build.gradle.kts
@@ -26,6 +26,26 @@ dependencies {
     implementation(platform("org.springframework.boot:spring-boot-dependencies:2.7.18"))
     implementation("org.springframework.boot:spring-boot-starter-web")
     implementation("org.springframework.boot:spring-boot-starter")
+
+    // Security: constrain vulnerable transitive dependencies from Spring Boot 2.7.18.
+    // Spring Boot 2.7.x is EOL; these constraints override the managed versions in-place.
+    // None of these affect published artifacts (this is a non-published example module).
+    constraints {
+        // CVE-2025-24813 (CRITICAL), CVE-2026-24734, CVE-2025-55752, CVE-2025-53506,
+        // CVE-2025-52520, CVE-2025-48989, CVE-2025-48988, CVE-2024-56337, CVE-2024-50379, CVE-2024-34750
+        // Remove this constraint when upgrading to Spring Boot 3.x (which manages Tomcat 10+).
+        implementation("org.apache.tomcat.embed:tomcat-embed-core") { version { require("9.0.115") } }
+        implementation("org.apache.tomcat.embed:tomcat-embed-websocket") { version { require("9.0.115") } }
+        // CVE-2024-22243, CVE-2024-22259, CVE-2024-22262
+        // Note: CVE-2016-1000027 (CRITICAL) requires spring-web 6.0.0 — needs Spring Boot 3.x upgrade.
+        implementation("org.springframework:spring-web") { version { require("5.3.34") } }
+        implementation("org.springframework:spring-webmvc") { version { require("5.3.34") } }
+        // CVE-2023-6481, CVE-2023-6378
+        implementation("ch.qos.logback:logback-core") { version { require("1.2.13") } }
+        implementation("ch.qos.logback:logback-classic") { version { require("1.2.13") } }
+        // CVE-2022-25857 (note: CVE-2022-1471 requires snakeyaml 2.0 which is incompatible with Spring Boot 2.7.x)
+        implementation("org.yaml:snakeyaml") { version { require("1.31") } }
+    }
 }
 
 tasks.withType<org.jetbrains.kotlin.gradle.tasks.KotlinCompile>().configureEach {
