From 49653d29d7cc50626988fcb8c251cc0805385f32 Mon Sep 17 00:00:00 2001
From: Gabriel Pan Gantes <gabrielpanga@gmail.com>
Date: Tue, 26 May 2026 13:12:26 +0200
Subject: [PATCH] fix(deps): bump gson from 2.8.0 to 2.11.0 (CVE-2022-25647)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Closes Dependabot alert #11 (high severity).

- CVE-2022-25647 / GHSA-4jrv-ppp4-jm57 — deserialization of untrusted data
- First patched version is 2.8.9; bumped to 2.11.0 (current stable on
  the 2.x line) to avoid drifting back into the long tail.

Gson 2.x is API-stable. The SDK only uses Gson, GsonBuilder,
FieldNamingPolicy, JsonSyntaxException, and TypeToken — all unchanged
between 2.8.0 and 2.11.0. Full unit + integration suite passes (39
integration tests, 0 failures).
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 08525d7..971ebae 100644
--- a/pom.xml
+++ b/pom.xml
@@ -67,7 +67,7 @@
     <dependency>
       <groupId>com.google.code.gson</groupId>
       <artifactId>gson</artifactId>
-      <version>2.8.0</version>
+      <version>2.11.0</version>
     </dependency>
 
     <!-- Lombok -->