The following version lines are actively supported:

• problem4j-jackson-v1.2.x - supported versions line for Jackson 2,
• problem4j-jackson3-v1.1.x - supported versions line for Jackson 3.

This library does not include transitively fixed versions of external dependencies such as:

• Jackson (ObjectMapper and friends).

It is the responsibility of the application using this library to:

• regularly update Jackson, and other libraries to the latest patched releases,
• ensure that known CVEs are resolved by upgrading their chosen stack.

The maintainers cannot guarantee security if the consuming application uses outdated upstream dependencies.

Because this library does not manage transitive versions for Spring, Jackson, and other dependencies, please do not open PRs that update those upstream libs. Such updates belong in the consuming application, not here. This project is designed to remain dependency-light and avoid dictating the user's Jackson version. This helps to ensure maximum compatibility and avoids conflicts with application BOMs.

If you believe you have found a security issue in scope of Problem4J, please do not open a public GitHub Issue. Instead, please report the problem via GitHub Security Advisories.

Please include:

• version of the library,
• affected dependency versions (if relevant),
• sample code or minimal reproduction,
• details explaining the vulnerability.

• Misconfiguration in user applications.
• Outdated versions of Spring Boot, Jackson, or other dependencies used by the consuming app.
• Vulnerabilities in upstream libraries not directly caused by this project.