[improve][build] Upgrade jackson version to 2.15.0 for CVE-2022-1471

[mattisonchao]

Modifications

• Upgrade jackson version to 2.15.0

Verifying this change

• Make sure that the change passes the CI checks.

(Please pick either of the following options)

This change is a trivial rework / code cleanup without any test coverage.

(or)

This change is already covered by existing tests, such as (please describe tests).

(or)

This change added tests and can be verified as follows:

(example:)

• Added integration tests for end-to-end deployment with large payloads (10MB)
• Extended integration test for recovery after broker failure

Does this pull request potentially affect one of the following parts:

If the box was checked, please highlight the changes

• Dependencies (add or upgrade a dependency)
• The public API
• The schema
• The default values of configurations
• The threading model
• The binary protocol
• The REST endpoints
• The admin CLI options
• The metrics
• Anything that affects deployment

Documentation

• doc
• doc-required
• doc-not-needed
• doc-complete

[tisonkun]

I wonder if #20085 already fixes CVE-2022-1471?

cc @Technoboy-

[Technoboy-]

I wonder if #20085 already fixes CVE-2022-1471?

cc @Technoboy-

Yes, fixed, but it's better also to accept this. because Jackson-2.15.0 is released yesterday.

[tisonkun]

OK. Then let's update the PR title for upgrading only.

... while I'd prefer wait a bit for new version tested instead of greedy upgrade when unnecessary.

[tisonkun]

After an offline discussion with @mattisonchao I notice that jackson-dataformat-yaml 2.14.2 still depend on snakeyaml 1.33 so this patch does fix a CVE.

[Technoboy-]

After an offline discussion with @mattisonchao I notice that jackson-dataformat-yaml 2.14.2 still depend on snakeyaml 1.33 so this patch does fix a CVE.

yes, right. Sorry for not declaring this.