My organization is blocking application releases that include Jackson Databind 2.9.8, due to vulnerability concerns. Are there any plans to include an upgrade to Jackson Databind and related components in Play 2.7.4? That would be great. If so, when will Play 2.7.4 be released?
I’m aware that a newer version of Jackson Databind will be supported in Play 2.8, but that release does not seem to be imminent.
There is already an integrated pull request updating to 2.9.9.3, but you don’t need to wait for a next release of Play, you can update the dependency by yourself by adding it on your build.sbt: