Update jackson, snakeyaml and docker-java versions

[ZachChuba]

Code hygene and clearing falsely flagged CVEs

Upgrade jackson and snakeyaml to the latest version. Aside from providing code hygene, these two dependencies are flagged by FOSS scanning tools as having critical severity CVEs. Although not exploitable in testcontainers, this causes a headache for developers.

This is to address Issue #9289

[codefish1]

Ive doubled checked, these are the latest versions as of today.

Thanks

[ZachChuba]

@eddumelendez Can you enable the tests CI flows so we can confirm this does not break and review?

[yeikel]

@eddumelendez Can you enable the tests CI flows so we can confirm this does not break and review?

The easiest way to run CI and get that feedback is to send a pull request to your own fork's main and let CI run

I did that in my fork + your changes here: yeikel#1

Unfortunately, your changes are not passing some of the workflows

ie:

Gradle Test Executor 2 > ArtemisContainerTest > defaultCredentials FAILED
    java.util.ServiceConfigurationError: org.testcontainers.dockerclient.DockerClientProviderStrategy: Provider org.testcontainers.dockerclient.EnvironmentAndSystemPropertyClientProviderStrategy could not be instantiated
        at java.base/java.util.ServiceLoader.fail(ServiceLoader.java:586)
        at java.base/java.util.ServiceLoader$ProviderImpl.newInstance(ServiceLoader.java:813)
        at java.base/java.util.ServiceLoader$ProviderImpl.get(ServiceLoader.java:729)
        at java.base/java.util.ServiceLoader$3.next(ServiceLoader.java:1403)
        at java.base/java.lang.Iterable.forEach(Iterable.java:74)
        at org.testcontainers.DockerClientFactory.getOrInitializeStrategy(DockerClientFactory.java:152)
        at org.testcontainers.DockerClientFactory.client(DockerClientFactory.java:196)
        at org.testcontainers.DockerClientFactory$1.getDockerClient(DockerClientFactory.java:108)
        at com.github.dockerjava.api.DockerClientDelegate.authConfig(DockerClientDelegate.java:109)
        at org.testcontainers.containers.GenericContainer.start(GenericContainer.java:321)
        at org.testcontainers.activemq.ArtemisContainerTest.defaultCredentials(ArtemisContainerTest.java:24)

        Caused by:
        java.lang.NoClassDefFoundError: com/fasterxml/jackson/annotation/JsonKey

There are also other failures

        Caused by:
        java.lang.NoSuchMethodError: 'com.fasterxml.jackson.annotation.OptBoolean com.fasterxml.jackson.annotation.JsonProperty.isRequired()'

Refer to the link above to see the full CI Run. Example: https://github.com/yeikel/testcontainers-java/actions/runs/15290585561/job/43009689378?pr=1

I also sent you an invite in case it is more convenient to just push to my fork

[yeikel]

It seems that the issue is a mismatch as docker-java-api is bringing jackson-annotations:2.10.3

Although we may be able to overwrite that, it seems safer to upgrade docker-java-api first as is closely developed and tested with testcontainers-java

See docker-java/docker-java#2447

[ZachChuba]

Let me know when that version is published and I'll add it to the build

[gabrieljones]

Let me know when that version is published and I'll add it to the build

@ZachChuba https://github.com/docker-java/docker-java/releases/tag/3.5.3 is published

[yeikel]

@ZachChuba I updated and tested the upgrade via yeikel#2. All the tests are passing now

Can you merge that patch in?

After that, we'll need help to get it reviewed

[ZachChuba]

@yeikel Pushed the changes, in this PR

[yeikel]

@yeikel Pushed the changes, in this PR

As per GitHub, your branch is not up to date with main. Can you resolve that?

[ZachChuba]

Rebased

[eddumelendez]

Thank you so much for your contribution!

[codefish1]

Thanks everyone, I've been following keenly.

Just need to wait for the release now, when do we think that would be

[yeikel]

Thank you so much for your contribution

@eddumelendez Thank you for the quick turnaround

Given that what motivated this change was a CVE, is there any chance we can push this out as a minor patch?

I noticed that it is part of the next milestone, but it is unclear what the criteria for the next release are.

Thank you!

[mstuy]

@eddumelendez Same question as above, is there any information on when the next release that contains this change will be available?

[baldimir]

Hi, when is this going to be available in a release, please? Or is there some roadmap with planned future releases, please?

[Rene2000k]

Hi, same request as above. It would be really helpful for us to have this as a patch release

[yeikel]

Hi team,

Sorry for the ping but we've been waiting since May

is there anything we can do to help this move forward as a release?

Thanks in advance!

[ZachChuba]

@yeikel @Rene2000k I've been waiting as well, v2.0.1 is now released and shows 0 vulns on sonatype.

[yeikel]

@yeikel @Rene2000k I've been waiting as well, v2.0.1 is now released and shows 0 vulns on sonatype.

Yep, thank you. V2.0.0 is also not showing any vun for me