Summary

Bumps jackson-bom from 2.21.1 → 2.21.4 in gradle/libs.versions.toml.

This is a patch-level upgrade within the 2.21.x series that pulls in security fixes for jackson-databind, with no API or behavioral changes.

Why

• CVE-2026-54513 (GHSA-rmj7-2vxq-3g9f) — CVSS 8.1 (High)
  • BasicPolymorphicTypeValidator.allowIfSubTypeIsArray() permits array types without checking the component type, enabling instantiation of non-allowlisted classes via an array wrapper.
  • Affects jackson-databind >= 2.19.0, < 2.21.4. Fixed in 2.21.4.
• CVE-2026-54512 (GHSA-j3rv-43j4-c7qm) — CVSS 8.1 (High)
  • PTV bypass via generic type parameters in type IDs. Same affected range, same fix.

Both are weaknesses in BasicPolymorphicTypeValidator (CWE-184 / CWE-502).

Verification

• Dependency version verified against published security advisories and Maven Central (jackson-bom-2.21.4.pom confirmed pinning jackson-databind 2.21.4).
• Patch-level upgrade within the same 2.21.x series — no breaking changes expected.

Test plan

• CI build succeeds
• Downstream consumers can resolve jackson-databind at 2.21.4 transitively via this BOM