I have a doubt with the dependency management in maven central. I have to say that this is a project in initial phase and I am not using my own repository, that's why I have this doubt.
GitHub dependabot tells me that the version I use jackson-databind is vulnerable.
Package com.fasterxml.jackson.core:jackson-databind (Maven) Affected versions >= 2.13.0, <= 2.13.2.0 Patched version 2.13.2.1
[ERROR] Failed to execute goal on project erp-cloud-api: Could not resolve dependencies for project es.test.api.cloud:cloud-api:jar:0.3.0: The following artifacts could not be resolved: com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.13.2.1, com.fasterxml.jackson.core:jackson-core:jar:2.13.2.1, com.fasterxml.jackson.core:jackson-annotations:jar:2.13.2.1, com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.13.2.1, com.fasterxml.jackson.datatype:jackson-datatype-joda:jar:2.13.2.1: com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.13.2.1 was not found in https://repo.maven.apache.org/maven2 during a previous attempt. This failure was cached in the local repository and resolution is not reattempted until the update interval of central has elapsed or updates are forced -> [Help 1]
I am using version 2.13.2 in Maven core, because there are no patched versions. And dependabot still detects the version as vulnerable. How would be the right way to fix this without stopping using maven central?
What I want is to be able to have a reproducible build and use the patched version correctly.
Thank you very much and sorry if the way has already been explained.
Solution:
That version did exist. The problem was with other artifacts (like jackson-annotations, jackson-databind or jackson-datatype-joda etc.) of the same groupId that did not have that version. I was using a common property to group them all together and that's where the problem was coming from. Thank you!
A brief search of maven central reveals that the newest version of jackson-databind is 2.13.2.2.