grobidOrg / grobid / 28218474081

39%

push

github

Update dependencies (Trivvy new critical issues and unused) (#1469)

- JLine telnet DoS (GHSA-47qp-hqvx-6r3f, GHSA-2r2c-cx56-8933): progressbar
transitively pulled the org.jline:jline uber-jar, which bundles the
vulnerable remote-telnet server. GROBID never runs a telnet server and
progressbar only uses the terminal API, so the uber-jar is excluded and
only jline-terminal is kept, removing the vulnerable module.

- jackson-databind < 2.21.4 (in the 2.21.x line) is affected by
CVE-2026-54513: BasicPolymorphicTypeValidator.allowIfSubTypeIsArray()
allowlists array types without validating their component type, so a
non-allowlisted EvilType[] can bypass an otherwise restrictive PTV.

- GROBID does not use the vulnerable polymorphic-typing API, so this is a
precautionary bump that also clears the Trivy alert. All four pinned
jackson modules (core, databind, afterburner, dataformat-yaml) are moved
2.21.3 -> 2.21.4 together to stay aligned.

- Drop unused dependencies (mockk, commons-dbutils, jackson-afterburner,
javax.activation, stringmetric_2.10) and demote jsonic to runtimeOnly
since it is only needed by the langdetect localLib at runtime, not on
grobid-core's compile API.

- Replace deprecated COARS filter with modern and compatible plumbing

---------

Signed-off-by: Luca Foppiano <luca@foppiano.org>

8670 of 24962 branches covered (34.73%)

Branch coverage included in aggregate %.

18456 of 45267 relevant lines covered (40.77%)

1.65 hits per line