Latest version pulling in woodstox vulnerability.

[andrewhallambc]

https://nvd.nist.gov/vuln/detail/CVE-2022-40152

Need to pull in 'com.fasterxml.jackson.dataformat:jackson-dataformat-xml:2.14.0' which resolves this.

Dependency tree -

| --- pl.damianszczepanik:silencio:2.4.1
| +--- com.fasterxml.jackson.core:jackson-databind:2.13.4 -> 2.13.4.2 ()
| +--- com.fasterxml.jackson.dataformat:jackson-dataformat-xml:2.13.4
| | +--- com.fasterxml.jackson.core:jackson-core:2.13.4 ()
| | +--- com.fasterxml.jackson.core:jackson-annotations:2.13.4 ()
| | +--- com.fasterxml.jackson.core:jackson-databind:2.13.4 -> 2.13.4.2 ()
| | +--- org.codehaus.woodstox:stax2-api:4.2.1
| | +--- com.fasterxml.woodstox:woodstox-core:6.3.1
| | | --- org.codehaus.woodstox:stax2-api:4.2.1

[damianszczepanik]

Latest version has been published

[andrewhallambc]

Hi @damianszczepanik
Your latest version 2.4.2 still has the vulnerability - due to the fact you are pulling in jackson 2.13.*
See -
| --- pl.damianszczepanik:silencio:2.4.2
| +--- com.fasterxml.jackson.core:jackson-databind:2.13.4 -> 2.13.4.2 ()
| +--- com.fasterxml.jackson.dataformat:jackson-dataformat-xml:2.13.4
| | +--- com.fasterxml.jackson.core:jackson-core:2.13.4 ()
| | +--- com.fasterxml.jackson.core:jackson-annotations:2.13.4 ()
| | +--- com.fasterxml.jackson.core:jackson-databind:2.13.4 -> 2.13.4.2 ()
| | +--- org.codehaus.woodstox:stax2-api:4.2.1
| | +--- com.fasterxml.woodstox:woodstox-core:6.3.1
| | | --- org.codehaus.woodstox:stax2-api:4.2.1
| | --- com.fasterxml.jackson:jackson-bom:2.13.4 (*)

The vulnerability fix to jackson if from 2.14.0 onwards.
Could you please update your lib to at least 2.14.0 please.
Thanks