Skip to content

chore(deps): Purge stale dependency-graph manifest (step 1/2)#923

Merged
ybezsonov merged 1 commit into
mainfrom
chore/purge-stale-depgraph-manifest
Jul 3, 2026
Merged

chore(deps): Purge stale dependency-graph manifest (step 1/2)#923
ybezsonov merged 1 commit into
mainfrom
chore/purge-stale-depgraph-manifest

Conversation

@ybezsonov

Copy link
Copy Markdown
Contributor

GitHub's dependency graph still tracks a dead manifest at labs/unicorn-store/software/unicorn-store-spring/pom.xml (the module was removed from main in Feb 2025) and keeps raising phantom Dependabot alerts/update runs against it (tomcat, jackson, netty, logback, ...).

Step 1: re-add the path as a dependency-free placeholder so GitHub re-scans the manifest and clears the phantom findings. Step 2 (follow-up commit) deletes it to drop the manifest from the graph entirely.

Also remove the explicit com.fasterxml.jackson.core:jackson-databind pin from infra/cdk: it is unused by the app, supplied transitively by aws-cdk-lib, and did not actually escape GHSA-5jmj-h7xm-6q6v (which also covers < 2.21.5). Keeping the pin would block the transitive fix once jackson 2.21.5 / 2.22.1 ships.

Issue #, if available:

Description of changes:

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

GitHub's dependency graph still tracks a dead manifest at
labs/unicorn-store/software/unicorn-store-spring/pom.xml (the module was
removed from main in Feb 2025) and keeps raising phantom Dependabot
alerts/update runs against it (tomcat, jackson, netty, logback, ...).

Step 1: re-add the path as a dependency-free placeholder so GitHub
re-scans the manifest and clears the phantom findings. Step 2 (follow-up
commit) deletes it to drop the manifest from the graph entirely.

Also remove the explicit com.fasterxml.jackson.core:jackson-databind pin
from infra/cdk: it is unused by the app, supplied transitively by
aws-cdk-lib, and did not actually escape GHSA-5jmj-h7xm-6q6v (which also
covers < 2.21.5). Keeping the pin would block the transitive fix once
jackson 2.21.5 / 2.22.1 ships.
@ybezsonov ybezsonov merged commit a614c07 into main Jul 3, 2026
49 checks passed
@ybezsonov ybezsonov deleted the chore/purge-stale-depgraph-manifest branch July 3, 2026 08:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant