Upgrade MyBatis 3.2.5 → 3.5.16 (deserialization vulnerability) (#162)

Copilot · vharseko · web-flow · commit 615ef0f93858 · 2026-04-17T16:05:46.000+03:00
Co-authored-by: copilot-swe-agent[bot] &lt;198982749+Copilot@users.noreply.github.com&gt;
Co-authored-by: vharseko &lt;6818498+vharseko@users.noreply.github.com&gt;
diff --git a/legal/THIRDPARTYREADME.txt b/legal/THIRDPARTYREADME.txt
@@ -139,8 +139,8 @@ Jack Phelan, jphelan@andrew.cmu.edu: author (first version of core module)
 Version: joda-time-2.1.jar
 Copyright: Copyright 2001-2005 Stephen Colebourne
 
-Version: mybatis-3.2.5.jar
-Copyright: Copyright 2009-2012 The MyBatis Team
+Version: mybatis-3.5.16.jar
+Copyright: Copyright 2009-2024 The MyBatis Team
            Copyright 2010 The Apache Software Foundation
 
 Version: disruptor-3.0.1.jar
diff --git a/pom.xml b/pom.xml
@@ -115,6 +115,7 @@
 
 
         <!-- Third party dependency versions -->
+        <mybatis.version>3.5.16</mybatis.version>
         <orientdb.version>2.1.25</orientdb.version>
         <orientdb.studio.version>1.7.10</orientdb.studio.version>
         <javascript.maven.plugin.version>2.0.0-alpha-1</javascript.maven.plugin.version>
@@ -630,6 +631,13 @@
                 <version>${h2.version}</version>
             </dependency>
 
+            <!-- MyBatis: override transitive dependency from activiti-engine to address CVE -->
+            <dependency>
+                <groupId>org.mybatis</groupId>
+                <artifactId>mybatis</artifactId>
+                <version>${mybatis.version}</version>
+            </dependency>
+
             <dependency>
                 <groupId>net.lingala.zip4j</groupId>
                 <artifactId>zip4j</artifactId>
