Skip to content

Standardize jackson-core in Docker images to pinned versions from Maven Central#1

Merged
jykae merged 3 commits intomainfrom
copilot/update-flyway-jackson-dependencies
Mar 17, 2026
Merged

Standardize jackson-core in Docker images to pinned versions from Maven Central#1
jykae merged 3 commits intomainfrom
copilot/update-flyway-jackson-dependencies

Conversation

Copy link

Copilot AI commented Mar 17, 2026
edited
Loading

Flyway 12's Maven assembly bundles multiple jackson-core versions in /flyway/lib/ because internal modules (flyway-core, flyway-database-*, flyway-reports) each resolve their own transitive jackson dependency. This triggers Trivy findings for the older versions.

Changes

  • All three Dockerfile variants (base, alpine, azure) that extract the flyway-commandline tarball now:

    • Delete all jackson-core-*.jar from the extracted distribution
    • Download the two required versions from Maven Central with SHA-256 verification
    • com.fasterxml.jackson.core:jackson-core:2.21.1 (2.x API consumers)
    • tools.jackson.core:jackson-core:3.1.0 (Flyway's own 3.x usage)

  • Versions and checksums are build ARGs with defaults matching pom.xml, overridable at build time without code changes

ARG JACKSON_CORE_V2=2.21.1
ARG JACKSON_CORE_V2_SHA256=1edd5f2e49dca5f8e4519957c24b7b3050bd1c7ee883920da33cff031ff1f7c0
ARG JACKSON_CORE_V3=3.1.0
ARG JACKSON_CORE_V3_SHA256=4dd383f96b51b9b9ac4b74bdf1c150df0100443e1da1fba480f57da09a2dcef7

Mono/oracle/redgate overlay Dockerfiles inherit from these base images — no changes needed there.

📱 Kick off Copilot coding agent tasks wherever you are with GitHub Mobile, available on iOS and Android.

Copilot AI and others added 2 commits March 17, 2026 12:25
@jykae
Standardize jackson-core JARs in Docker images to single canonical ve…
f3873cf 
…rsions

Remove all jackson-core JARs bundled by the Maven assembly and replace
them with the exact pinned versions downloaded from Maven Central during
Docker build. This ensures the runtime image contains only:
  - jackson-core 2.21.1 (com.fasterxml.jackson.core)
  - jackson-core 3.1.0  (tools.jackson.core)

Applied to all three Dockerfile variants (base, alpine, azure) that
extract the flyway-commandline tarball.

Co-authored-by: jykae <293452+jykae@users.noreply.github.com>
@jykae
Add SHA-256 checksum verification for downloaded jackson-core JARs
928c63b 
Address code review feedback: verify integrity of JARs downloaded from
Maven Central using sha256sum to prevent supply-chain tampering.

Co-authored-by: jykae <293452+jykae@users.noreply.github.com>
Copilot AI changed the title [WIP] [UPSTREAM-ISSUE] Remove duplicate jackson-core dependencies Standardize jackson-core in Docker images to pinned versions from Maven Central Mar 17, 2026
Copilot AI requested a review from jykae March 17, 2026 12:28
@jykae jykae marked this pull request as ready for review March 17, 2026 12:32
@jykae
Copy link
Owner

jykae commented Mar 17, 2026

@copilot PR to upstream main

Copy link
Author

Copilot AI commented Mar 17, 2026

@copilot PR to upstream main

The PR branch copilot/update-flyway-jackson-dependencies is ready with all changes (3 Dockerfiles modified: base, alpine, azure). I'm unable to change the PR target branch or create new PRs — you'll need to retarget this PR to upstream main via the GitHub UI, or open a new PR from this branch against the upstream remote.

@jykae jykae merged commit 16d7838 into main Mar 17, 2026
1 check passed
@jykae jykae deleted the copilot/update-flyway-jackson-dependencies branch March 17, 2026 12:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jykae jykae Awaiting requested review from jykae

Assignees

@jykae jykae

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jykae