From a9448004ce33822db29fd57964ece3c23a7293e4 Mon Sep 17 00:00:00 2001
From: Moritz Eysholdt <moritz@ona.com>
Date: Sun, 8 Mar 2026 19:25:09 +0000
Subject: [PATCH] Fix CVE-2026-29062: upgrade jackson-core to 3.1.0

Override jackson-bom.version (3.0.3 -> 3.1.0) and jackson-2-bom.version
(2.20.1 -> 2.21.1) to resolve nesting depth constraint bypass in
jackson-core (GHSA-6v53-7c9g-w56r).

Co-authored-by: Ona <no-reply@ona.com>
---
 pom.xml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pom.xml b/pom.xml
index fb38cc3d..fc96c109 100644
--- a/pom.xml
+++ b/pom.xml
@@ -24,6 +24,10 @@
     <webjars-bootstrap.version>5.3.8</webjars-bootstrap.version>
     <webjars-font-awesome.version>4.7.0</webjars-font-awesome.version>
 
+    <!-- Override jackson-bom versions to fix CVE-2026-29062 (GHSA-6v53-7c9g-w56r) -->
+    <jackson-bom.version>3.1.0</jackson-bom.version>
+    <jackson-2-bom.version>2.21.1</jackson-2-bom.version>
+
     <checkstyle.version>12.1.2</checkstyle.version>
     <jacoco.version>0.8.14</jacoco.version>
     <libsass.version>0.3.4</libsass.version>