From bbe25ccb3c615611f42d51a82e95efeac1896ebe Mon Sep 17 00:00:00 2001 From: Yuriy Bezsonov Date: Fri, 3 Jul 2026 10:00:29 +0200 Subject: [PATCH] chore(deps): Purge stale dependency-graph manifest (step 1/2) GitHub's dependency graph still tracks a dead manifest at labs/unicorn-store/software/unicorn-store-spring/pom.xml (the module was removed from main in Feb 2025) and keeps raising phantom Dependabot alerts/update runs against it (tomcat, jackson, netty, logback, ...). Step 1: re-add the path as a dependency-free placeholder so GitHub re-scans the manifest and clears the phantom findings. Step 2 (follow-up commit) deletes it to drop the manifest from the graph entirely. Also remove the explicit com.fasterxml.jackson.core:jackson-databind pin from infra/cdk: it is unused by the app, supplied transitively by aws-cdk-lib, and did not actually escape GHSA-5jmj-h7xm-6q6v (which also covers < 2.21.5). Keeping the pin would block the transitive fix once jackson 2.21.5 / 2.22.1 ships. --- infra/cdk/pom.xml | 10 -------- .../software/unicorn-store-spring/pom.xml | 24 +++++++++++++++++++ 2 files changed, 24 insertions(+), 10 deletions(-) create mode 100644 labs/unicorn-store/software/unicorn-store-spring/pom.xml diff --git a/infra/cdk/pom.xml b/infra/cdk/pom.xml index cdf7d80d..0de48732 100644 --- a/infra/cdk/pom.xml +++ b/infra/cdk/pom.xml @@ -93,16 +93,6 @@ 2.46.20 - - - com.fasterxml.jackson.core - jackson-databind - - 2.21.4 - - org.json diff --git a/labs/unicorn-store/software/unicorn-store-spring/pom.xml b/labs/unicorn-store/software/unicorn-store-spring/pom.xml new file mode 100644 index 00000000..22b246c4 --- /dev/null +++ b/labs/unicorn-store/software/unicorn-store-spring/pom.xml @@ -0,0 +1,24 @@ + + + + 4.0.0 + com.unicorn + unicorn-store-spring-removed + 0.0.0 + pom +