Building nd4j-jackson to resolve security vulnerabilities in M2.1

I use DL4J in a micro-service war and our scans have dinged the shaded nd4j jackson jar. Specifically,

/app/app.war/jackson-1.0.0-M2.1.jar contains:
— jar     critical    org.yaml_snakeyaml version 1.26 has 7 vulnerabilities
— jar     high    com.fasterxml.jackson.core_jackson-databind version 2.13.3 has 2 vulnerabilities
— jar     high    com.fasterxml.jackson.core_jackson-core version 2.13.3 has 1 vulnerability
— jar     moderate    com.fasterxml.woodstox_woodstox-core version 5.1.0 has 1 vulnerability

I’m part of a larger project and attempting to reduce the number and severity of the vulnerabilities in my code areas.

Since the offending vulnerabilities are in a pure Java module, I’m thinking of how to build the jackson.jar. Building the entire tool seems a bit overwhelming as it requires C++/build tools/scripts etc which I’d rather avoid.

Does anyone see any likely issues with doing the following?

deeplearning4j/nd4j/nd4j-shade/jackson$ mvn package -Djackson.version=2.14.3 -Djackson.databind.version=2.14.3 -Dshaded.snakeyaml.version=1.33

Have there been plans for a M2.2 release or has anyone updated the jackson.jar previously?