My organization is blocking application releases that include Jackson Databind 2.9.8, due to vulnerability concerns. Are there any plans to include an upgrade to Jackson Databind and related components in Play 2.7.4? That would be great. If so, when will Play 2.7.4 be released?
I’m aware that a newer version of Jackson Databind will be supported in Play 2.8, but that release does not seem to be imminent.
Thanks
There is already an integrated pull request updating to 2.9.9.3, but you don’t need to wait for a next release of Play, you can update the dependency by yourself by adding it on your build.sbt:
libraryDependencies += "com.fasterxml.jackson.core" % "jackson-databind" % "2.9.9.3"
That way, this version will be used and the one Play provides will be evicted.
Best.
Thank you, Marcos. That worked perfectly. I’m very grateful for the rapid reply. This was more helpful than you could (hopefully) ever know.