Comment by Macha

Got similar from the security department of my previous company. Every time a new gadget was found in Jackson that allowed RCE if you turned on the feature to instantiate arbitrary classes based on user input (which is clearly documented with warnings in Jackson and was linted against being enabled in our internal rules _anyway_), we would get a ticket that we had 24 hours to update to the new Jackson version which just added that to their blacklist of classes not to be instantiated.

"Prototype pollution" from transitive dependencies of our frontend build scripts in node was another one where we would get spam security issues, though thankfully without the same tight deadline.