fix(security): remediate CVE-2022-42003 in jackson-databind

[devin-ai-integration]

Summary

Remediates CVE-2022-42003 — a polymorphic deserialization vulnerability in jackson-databind that can lead to remote code execution via crafted JSON payloads when UNWRAP_SINGLE_VALUE_ARRAYS is enabled.

Spring Boot 2.6.3's BOM pulls jackson-databind:2.13.1 (vulnerable). This PR overrides jackson-bom.version to 2.13.5 which includes the fix.

# build.gradle
+ ext['jackson-bom.version'] = '2.13.5'

Before / After dependency tree

Before (vulnerable):

com.fasterxml.jackson.core:jackson-databind:2.13.1
   Selection reasons:
      - Selected by rule
      - By constraint

After (patched):

com.fasterxml.jackson.core:jackson-databind:2.13.5
   Selection reasons:
      - Selected by rule
      - By constraint

com.fasterxml.jackson.core:jackson-databind:2.13.1 -> 2.13.5

Verification

• ./gradlew clean test spotlessCheck passes (68 tests, 0 failures)
• No API breaks — jackson-databind 2.13.5 is a drop-in patch for 2.13.1
• JaCoCo coverage verification failure is pre-existing (0.33 < 0.80 threshold) and unrelated to this change

Link to Devin session: https://partner-workshops.devinenterprise.com/sessions/08826ff5f588436cb8ddbe589ac3f013
Requested by: @bsmitches

---

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment, CI, and merge conflict monitoring

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.