The 7.0.2 Gradle plugin is pulling in a vulnerable version of Jackson (2.15.2), and I'm really struggling to use dependency constraints to force that to a newer one (it works for real project dependencies, but I haven't been able to get it working for the GraphQL Kotlin Gradle plugin). Anyone know how to force that constraint, or if there's a plan to release a new version of the plugin that depends on a newer version of Jackson?

No longer a maintainer so I can’t help merge but a quick change and build here to verify the new version could be a good contribution https://github.com/ExpediaGroup/graphql-kotlin/blob/master/gradle/libs.versions.toml

updating Gradle plugin dependencies is somewhat confusing (and not documented?) I believe something along those lines should work

buildscript {
    dependencies {
        // explicitly specify the dependency here
        classpath("com.fasterxml.jackson.module:jackson-module-kotlin:2.16.1")
    }
}

you can verify whether it works by then running the target goal with

--scan

and checking the build dependencies

You can constrain transitive dependencies with gradle using this: https://docs.gradle.org/current/userguide/dependency_constraints.html#sec:adding-constraints-transitive-deps For normal dependencies I Recommend using dependencyInsight to determine what is impacting the version (i.e. is there a bom or some other plugin modifying the requested version). Build script dependencies can be seen with ./gradlew buildEnvironment

👋 thats for library dependencies, that won't work for plugin (you will need to use buildscript dependencies)