fix(fit): 升级 jackson 至 2.21.1 修复异步解析器 DoS 漏洞

CodeCasterX · claude · CodeCasterX · commit cf4ec573f8a6 · 2026-03-04T11:48:22.000+08:00
修复 Dependabot 安全告警 #26（GHSA-72hv-8253-57qq），jackson-core 异步解析器 绕过 maxNumberLength 约束。将 jackson-core/databind 从 2.19.1 升级到 2.21.1， jackson-annotations 升级到 2.21（Jackson 2.20+ annotations 版本策略变更）。 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/framework/dependency/pom.xml b/framework/dependency/pom.xml
@@ -59,7 +59,8 @@
         <guava.version>32.0.1-jre</guava.version>
         <hanlp.version>portable-1.8.4</hanlp.version>
         <lombok.version>1.18.36</lombok.version>
-        <jackson.version>2.19.1</jackson.version>
+        <jackson.version>2.21.1</jackson.version>
+        <jackson-annotations.version>2.21</jackson-annotations.version>
         <mybatis.version>3.5.19</mybatis.version>
 
         <!-- Test framework versions -->
@@ -474,7 +475,7 @@
             <dependency>
                 <groupId>com.fasterxml.jackson.core</groupId>
                 <artifactId>jackson-annotations</artifactId>
-                <version>${jackson.version}</version>
+                <version>${jackson-annotations.version}</version>
             </dependency>
             <dependency>
                 <groupId>com.fasterxml.jackson.core</groupId>
diff --git a/framework/fit/java/fit-builtin/plugins/fit-message-serializer-json-jackson/pom.xml b/framework/fit/java/fit-builtin/plugins/fit-message-serializer-json-jackson/pom.xml
@@ -19,7 +19,7 @@
 
     <properties>
         <!-- Third-party versions -->
-        <jackson.version>2.19.1</jackson.version>
+        <jackson.version>2.21.1</jackson.version>
     </properties>
 
     <dependencies>
diff --git a/framework/fit/java/fit-maven-plugin/fit-maven-plugin-util/pom.xml b/framework/fit/java/fit-maven-plugin/fit-maven-plugin-util/pom.xml
@@ -17,7 +17,7 @@
 
     <properties>
         <!-- Third-party versions -->
-        <jackson.version>2.19.1</jackson.version>
+        <jackson.version>2.21.1</jackson.version>
         <lombok.version>1.18.36</lombok.version>
     </properties>
 
diff --git a/framework/fit/java/fit-util/pom.xml b/framework/fit/java/fit-util/pom.xml
@@ -17,7 +17,7 @@
 
     <properties>
         <!-- Third-party versions -->
-        <jackson.version>2.19.1</jackson.version>
+        <jackson.version>2.21.1</jackson.version>
     </properties>
 
     <dependencies>
