Skip to content

fix(deps): bump gson from 2.8.0 to 2.11.0 (CVE-2022-25647)#73

Open
Gabrielpanga wants to merge 1 commit into
masterfrom
deps/bump-gson-2.11.0
Open

fix(deps): bump gson from 2.8.0 to 2.11.0 (CVE-2022-25647)#73
Gabrielpanga wants to merge 1 commit into
masterfrom
deps/bump-gson-2.11.0

Conversation

@Gabrielpanga
Copy link
Copy Markdown
Member

@Gabrielpanga Gabrielpanga commented May 26, 2026

Summary

Bumps com.google.code.gson:gson from 2.8.0 to 2.11.0, closing Dependabot alert #11 (high severity).

  • CVE: CVE-2022-25647 — Deserialization of Untrusted Data in Gson
  • Advisory: GHSA-4jrv-ppp4-jm57
  • First patched version is 2.8.9. Bumped all the way to 2.11.0 (current stable on the 2.x line) so we don't immediately drift back into the long tail.

Gson 2.x is API-stable. The SDK only uses Gson, GsonBuilder, FieldNamingPolicy, JsonSyntaxException, and TypeToken — all unchanged between 2.8.0 and 2.11.0.

Test plan

  • mvn -B test — unit tests pass
  • mvn -B verify — 39 integration tests pass, 0 failures (hits live API; covers Item/Account/Transaction/Investment/Connector deserialization paths via converter-gson)

@Gabrielpanga
fix(deps): bump gson from 2.8.0 to 2.11.0 (CVE-2022-25647)
49653d2 
Closes Dependabot alert #11 (high severity).

- CVE-2022-25647 / GHSA-4jrv-ppp4-jm57 — deserialization of untrusted data
- First patched version is 2.8.9; bumped to 2.11.0 (current stable on
  the 2.x line) to avoid drifting back into the long tail.

Gson 2.x is API-stable. The SDK only uses Gson, GsonBuilder,
FieldNamingPolicy, JsonSyntaxException, and TypeToken — all unchanged
between 2.8.0 and 2.11.0. Full unit + integration suite passes (39
integration tests, 0 failures).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Gabrielpanga