dependency on jakarta.json 2.0.1 triggers CVE-2023-4043

### Version

5.5.0

### What happened?

In a customer project, we use a library that in turn uses `jena-shex` and `jena-arq` both in version 5.5.0. The latter depends on org.glassfish jakarta.json version 2.0.1
https://github.com/apache/jena/blob/e325baa7b6d613f78958af32a101ea48c9909866/pom.xml#L67
This in turn contains https://github.com/jakartaee/jsonp-api/blob/2.0.1-RELEASE/impl/src/main/java/org/glassfish/json/JsonNumberImpl.java, which, according to a mandatory scanning tool, is affected by https://www.cve.org/CVERecord?id=CVE-2023-4043.

Would it be possible to upgrade to a more recent implementation, e.g. org.eclipse.parsson?
(This also affects version 5.6.0)


### Relevant output and stacktrace

```shell

```

### Are you interested in making a pull request?

None

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

dependency on jakarta.json 2.0.1 triggers CVE-2023-4043 #3561

Version

What happened?

Relevant output and stacktrace

Are you interested in making a pull request?

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

dependency on jakarta.json 2.0.1 triggers CVE-2023-4043 #3561

Description

Version

What happened?

Relevant output and stacktrace

Are you interested in making a pull request?

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions