From e9da80898b1bd96b09fbd72a1236326b00092795 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E2=80=9Clrathod=E2=80=9D?= <likhesh.rathod@harness.io>
Date: Wed, 24 Jun 2026 13:41:45 +0530
Subject: [PATCH] Update jackson-bom version to 2.21.4

Patches CVE-2026-54513 (CVSS 8.1, High): allowIfSubTypeIsArray bypass
in BasicPolymorphicTypeValidator. Affects jackson-databind >= 2.19.0,
< 2.21.4. Fixed in 2.21.4.

Advisory: https://github.com/advisories/GHSA-rmj7-2vxq-3g9f
---
 gradle/libs.versions.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index 66e3bf6..50a9c2f 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -36,7 +36,7 @@ grpc-netty = { module = "io.grpc:grpc-netty" }
 grpc-context = { module = "io.grpc:grpc-context" }
 grpc-inprocess = { module = "io.grpc:grpc-inprocess" }
 grpc-services = { module = "io.grpc:grpc-services" }
-jackson-bom = { module = "com.fasterxml.jackson:jackson-bom", version = "2.21.1" }
+jackson-bom = { module = "com.fasterxml.jackson:jackson-bom", version = "2.21.4" }
 jackson-databind = { module = "com.fasterxml.jackson.core:jackson-databind" }
 jackson-datatype-jsr310 = { module = "com.fasterxml.jackson.datatype:jackson-datatype-jsr310" }
 jackson-datatype-jdk8 = { module = "com.fasterxml.jackson.datatype:jackson-datatype-jdk8" }