chore: bump transitive deps with CVEs in unmaintained json schema lib. (#74014)

tryangul · web-flow · commit a72d71f05cfd · 2026-02-24T16:07:31.000-08:00
diff --git a/airbyte-cdk/bulk/core/base/build.gradle.kts b/airbyte-cdk/bulk/core/base/build.gradle.kts
@@ -62,6 +62,14 @@ dependencies {
     api("com.fasterxml.jackson.core:jackson-databind")
     api("com.fasterxml.jackson.datatype:jackson-datatype-jsr310")
     api("com.kjetland:mbknor-jackson-jsonschema_2.13:1.0.39")
+    constraints {
+        api("org.scala-lang:scala-library:2.13.9") {
+            because("override transitive dep from mbknor-jackson-jsonschema — CVE-2022-36944 (deserialization gadget chain)")
+        }
+        api("io.github.classgraph:classgraph:4.8.112") {
+            because("override transitive dep from mbknor-jackson-jsonschema — CVE-2021-47621 (XXE)")
+        }
+    }
     api("io.airbyte.airbyte-protocol:protocol-models:0.19.0") {
         exclude(group="com.google.guava", module="guava")
         exclude(group="com.google.api-client")
diff --git a/airbyte-cdk/bulk/core/base/changelog.md b/airbyte-cdk/bulk/core/base/changelog.md
@@ -1,3 +1,7 @@
+## Version 1.0.1
+
+Bump transitive deps with CVEs in unmaintained json schema lib (mbknor-jackson-jsonschema): upgrade classgraph to 4.8.112 (CVE-2021-47621, XXE) and scala-library to 2.13.9 (CVE-2022-36944, deserialization gadget chain).
+
 ## Version 1.0.0
 
 Initial independent release of bulk-cdk-core-base.
diff --git a/airbyte-cdk/bulk/core/base/version.properties b/airbyte-cdk/bulk/core/base/version.properties
@@ -1 +1 @@
-version=1.0.0
+version=1.0.1
