SWI-3723 [Snyk] Fix for 1 vulnerabilities

[bwappsec]

Snyk has created this PR to fix 1 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

• samples/client/others/java/jersey2-oneOf-Mixed/pom.xml

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score	Upgrade
	Allocation of Resources Without Limits or Throttling SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551	125	com.fasterxml.jackson.core:jackson-core: 2.19.2 -> 2.21.2 com.fasterxml.jackson.core:jackson-databind: 2.19.2 -> 2.21.2 com.fasterxml.jackson.datatype:jackson-datatype-jsr310: 2.19.2 -> 2.21.2 org.glassfish.jersey.media:jersey-media-json-jackson: 2.37 -> 3.0.4 Major version upgrade No Path Found No Known Exploit

Breaking Change Risk

Notice: This assessment is enhanced by AI.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Allocation of Resources Without Limits or Throttling

[bwappsec]

This set of upgrades includes a major version increase for org.glassfish.jersey.media:jersey-media-json-jackson from 2.37 to 3.0.4, which introduces significant breaking changes. The Jackson library upgrades are minor and considered low risk.

jersey-media-json-jackson (2.37 → 3.0.4) - HIGH RISK

The upgrade to Jersey 3.x is driven by the transition from Java EE to Jakarta EE. This is a major breaking change that requires developer action.

Key Breaking Changes:

• Namespace Migration: The most critical change is the migration of package namespaces from javax.* to jakarta.*. All application code importing packages like javax.ws.rs.* must be updated to jakarta.ws.rs.*.
• JDK Requirement: Jersey 3.0 and later may require JDK 11 or higher for certain modules. The broader Jakarta EE 9 ecosystem, which Jersey 3 is part of, has moved towards a JDK 11 baseline.
• Server Compatibility: Your application server must be compatible with Jakarta EE 9. Supported servers include Tomcat 10, Jetty 11, and GlassFish 6.
• Removed APIs: Support for the outdated Jackson 1.x has been removed.

Recommendation: Before merging, a thorough migration of all javax.* imports to their jakarta.* equivalents is required. Verify your application's JDK version and ensure your deployment environment uses a Jakarta EE 9 compatible server.

Jackson Upgrades (2.19.2 → 2.21.2) - LOW RISK

The upgrades for jackson-core, jackson-databind, and jackson-datatype-jsr310 are minor version bumps.

• The primary change in version 2.20 was dropping support for Java 6, requiring Java 8 as the new baseline.
• The 2.21 release line consists mainly of bug fixes and performance improvements, with version 2.21.0 being designated as a Long-Term Support (LTS) release.

These upgrades are considered safe and should not introduce breaking changes for applications already running on Java 8 or newer.

Source: Jersey 3.x Migration Guide, Jackson 2.20 Release Notes, Jackson 2.21 Release Notes

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[bwappsec]

⚠️ Snyk checks are incomplete.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
⚠️	Open Source Security	0	0	0	0	See details
⚠️	Licenses	0	0	0	0	See details
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.