As per microservices implementation using spring boot application and using maven we are using dependency for spring-cloud-starter-vault-config. I understand as per the current status spring-cloud-starter-vault-config is having a compile time dependency with spring-vault-core which in turn is having a dependency with jackson-databind The issue happening is jackson-databind is having a dependency with jackson-core which is having the vulnerbility issue, As of now there is no published non-vulnerable version available for jackson-core. Due to this reason we are unable to use the spring-cloud-starter-vault-config which finally having a dependency with jackson-core. The logical dependency in short is as, spring-cloud-starter-vault-config --> spring-vault-core --> jackson-databind --> jackson-core (having vulnerability) Can you please guide how can we can use the spring-cloud-starter-vault-config library without any vulnerable dependency with jackson-core
I am expecting to use the spring-cloud-starter-vault-config library which is not compile time dependency with jackson-core I have also tried the suggestion of making spring.http.converters.preferred-json-mapper=gson as mentioned in Is the Spring framework vulnerable because of Jackson dependency still the issue persists, request to guide further on the same. ie, by excluding jackson-core dependency from spring-cloud-starter-vault-config library it is not working.
