-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
Jackson Release 2.13
Jackson Version 2.13 was released on September 30, 2021. Two release candidates (2.13.0-rc1, 2.13.0-rc2) were released prior to the final 2.12.0.
This wiki page gives a list of links to all changes (with brief descriptions) that were included.
Branch is open and new full releases are expected.
- 2.13.1 (19-Dec-2021)
- 2.13.2 (06-Mar-2022)
- 2.13.3 (14-May-2022)
- 2.13.4 (03-Sep-2022)
- 2.13.5 not released yet
Following micro-patches have been released:
-
jackson-databind
2.13.2.1
(24-Mar-2022) -- withjackson-bom
version2.13.2.20220324
-
#2816: Optimize
UntypedObjectDeserializer
wrt recursion (CVE-2020-36518) -
NOTE! As per #3465 any code that sub-classes
UntypedObjectDeserializer
may break due to unintended removal of existing methods (that is, a change to add a new argument).
-
#2816: Optimize
-
jackson-databind
2.13.2.2
(28-Mar-2022) -- withjackson-bom
version2.13.2.20220328
- Same as
2.13.2.1
above, but correct Gradle Module Metadata (2.13.2.1 had invalid reference to parent,jackson-bom
) -
NOTE! As per #3465 any code that sub-classes
UntypedObjectDeserializer
may break due to unintended removal of existing methods (that is, a change to add a new argument).
- Same as
-
jackson-databind
2.13.4.1
(12-Oct-2022) -- withjackson-bom
version2.13.4.20221012
-
#3590 Add check in primitive value deserializers to avoid deep wrapper array nesting wrt
UNWRAP_SINGLE_VALUE_ARRAYS
[CVE-2022-42003]
-
#3590 Add check in primitive value deserializers to avoid deep wrapper array nesting wrt
JDK baseline for most components has been raised to Java 8 for jackson-databind
and other components that so far
(up until 2.12) had only required Java 7 (but not including ones that only require Java 6 -- jackson-annotations
, jackson-core
and jackson-jr
-- which will retain Java 6 minimum).
Benefits include:
- Ability to embed one or both of "Java 8 datatypes" (
Optional
and related) and "Java 8 parameter names" (auto-discovery of constructor parameters) -- eventually, but not in 2.13 - Convergence with 3.0 plans: can add configuration methods that take closures (modifications of "Config Overrides" and "Coercion Configs" in particular)
- Ability to use Java 8 functional aspects in API in general for both 2.x and 3.0
The new jackson-jakarta-rs-providers
requires JDK 11 to build (due to Jetty test dependency); other modules still only need JDK 8.
-
jackson-jaxrs-providers
no longer has a work-around to (try to) allow use with JAX-RS 1.x implementations (see issue #134 below). It is doubtful usage would work regardless, but complex hack was is removed from 2.13.0. -
module-info.class
is now included underMETA-INF/versions/11/
in jars, instead of at root level (see jackson-bom#39) -
jackson-dataformat-xml
no longer has direct dependency onjackson-module-jaxb-annotations
!- Helps resolve issues wrt "JAXB vs Jakarta" problems
- Jackson jr
jr-stree
dependency tojr-objects
now optional, as per jackson-jr#88 (since there is only one reference, and that from a class use for which means caller already usesjr-objects
directly anyway)
- Change databind#3117 reduces introspection visibility for "JDK Types" (classes in
java.*
andjavax.*
packages) to "only public fields, accessors" (see issue for details) to improve JDK compatibility with newer JDKs. This results in the following reported observable changes:-
databind#3493:
java.io.ByteArrayOutputStream
happened to serialize previously, as a POJO (with propertiesbuf
andcount
); it will no longer be serializable out-of-the-box.- A follow-up issue databind#3522 filed for possibly allowing serialization, but as proper Binary value
-
databind#3493:
- To fix databind#3130 (StackOverflow on JDK 11+ when serializing
java.lang.Thread
), serialization ofjava.lang.ClassLoader
is now empty Object ({ }
) -- if users want different serialization, need to add custom serializer - To fix databind#3244 a set of formerly unserializable Jackson types like
ObjectMapper
are now serialized as Empty Object value (see databind#3302 for details) - Fix for databind#3271 to remove unintended coercion of JSON
null
into Java String "null" (in context of reading Type Id) had the downstream effect of breakage for DropWizard (reported as databind#3313).- New behavior is considered correct and will remain in 2.13 and later versions.
- As reported in databind#3510 earlier "accidental" support for deserializing
javax.mail.internet.InternetAddress
no longer exists (likely removed from 2.12.0 already) due to security improvements. Since this type is nore part of Core JDK, support would need to be added as a Module (cannot add new library dependencies injackson-databind
)- No module currently exists: users will need to, for now, provide a custom deserializer to deserialize this type.
New module -- jackson-dataformat-toml
-- now included in jackson-dataformats-text, supports TOML.
To allow working around the Oracle-created "Javax vs Jakarta" problem, Jackson 2.13 introduces hard forks of 3 kinds of existing modules (see below). You (or your platform/framework) will need to change dependencies appropriately, to get the module needed for your Jakarta-or-Javax APIs (hooray for interoperability).
Note that these modules will obsolete Jackson 2.12 use of "-jakarta" classifier for JAXB and JAX-RS provider modules.
New module -- jackson-module-jakarta-xmlbind-annotations
-- added in "jackson-modules-base", as alternative to existing
"old" JAXB Annotations module.
New modules with names like jackson-jakarta-rs-json-provider
(for cbor
, smile
, xml
and yaml
) as alternatives to
existing "jackson-jaxrs-[FORMAT]-provider" providers.
New module, jackson-datatype-jakarta-jsonp
added as the replacement for Javax/JSON-P supporting jackson-datatype-jsr353
.
New module, jackson-datatype-jakarta-mail
added to support a small subset (one class, jakarta.mail.internet.InternetAddress
) of Jakarta Mail (ex "Java Mail") library.
New module -- jackson-module-no-ctor-deser
-- now included in jackson-modules-base -- added to support a very specific use case of POJOs that do not have either:
- No-arguments ("default") constructor, nor
-
@JsonCreator
annotated constructor or factory method
in which case module can force instantiation of values without using any constructor, using JDK-internal implementation (included to support JDK serialization itself). Note that this module may stop functioning in future, but appears to work at least until JDK 14.
Due to low-to-no usage of Hibernate 3 module (as compared to Hibernate 4 and 5), Hibernate 3 module
(jackson-datatype-hibernate3
)
will be dropped from 2.13, as per datatype-hibernate#139.
(NOTE: whether Hibernate module will be released for Jackson 3.x is an open question too, due to the lack of maintainers)
A class of impossible-to-fix problems related to Creator methods (constructors, factory methods) is due to "duality" of Creator discovery and General property discovery. Problem is that the process goes like this:
- General property discovery is performance by
POJOPropertiesCollector
: this is based on finding regular accessors (Fields, Getter/Setter methods) using both name-based auto-discovery and annotations, but also includes (annotated) Creator property parameters -- but notably not parameters of possible implicit (auto-discovered) Constructors. Accessors are combined into logical properties, expressed as (and accessed through)BasicBeanDescription
container. -
BeanDeserializerFactory
takesBasicBeanDescription
and introspect possible Creators: this starts from scratch and finds potential Creators both by explicit annotations and possible auto-discovery. It will also try to combine already known Properties (from step 1) with now-located Creator parameters.
... and the problem is that "implicit" Creators -- ones with no explicitly annotated parameters (note: Not related to annotation of Creators method itself, but to parameter annotations!) -- will not be known during step (1) and as such will:
- Not be renamed by
PropertyNamingStrategy
- Not get annotations from related accessors (normally annotation in one of accessors is essentially applied to all), nor contribute annotations to be used for others
Fixing this general problem by either:
- Moving Creator discovery as part of
POJOPropertiesCollector
(preferred), or - Trying to combine pieces in step 2 more throughly (could resolve some of the issues)
would fix some of existing failing tests, and in particular help with newly found problems with Record
handling (added in 2.12).
Separate configuration settings for:
Part of/related to JSTEP-3, it'd be good to have a set of simple on/off features to configure read/write/transform aspects of JsonNode
, distinct from POJOs.
These settings should ideally be per-call, similar to [De]SerializationFeature
.
Part of/related to JSTEP-5 (and JSTEP-6), there are things that should be easily configurable as on/off "features", or similar configuration object(s).
One challenging part is that some of the settings should probably be per-call ones (i.e. can change on specific read/write); whereas others must be per-mapper (unchangeable after construction)
Handling of Enum
value reading, writing, is currently configured with a hodge-podge of SerializationFeature
/ DeserialiationFeature
s, but as with JsonNode
and Date/Time values, that's not a good place as those should be for more general aspects of handling.
This is covered to some degree in JSTEP-6.
So we should like have EnumFeature
s too, changeable on per-call basis; partly to replace existing [De]SerializationFeature
s (for 3.0), and partly to expose new ones.
Mentioned as one future JSTEP on https://github.com/FasterXML/jackson-future-ideas/wiki/JSTEP, there really should be limits to maximum size and/or complexity of input to process, mostly to prevent potential DoS attacks (as well as accidental "intern brought down our system by broken script" cases). There is some prior art in Woodstox, for example (see Woodstox-specific settings ("limits")).
Full set of changes included in 2.13.0 release.
No changes since 2.12
- #652: Misleading exception for input source when processing byte buffer with start offset
-
#658: Escape contents of source document snippet for
JsonLocation._appendSourceDesc()
-
#664: Add
StreamWriteException
type to eventually replaceJsonGenerationException
-
#671: Replace
getCurrentLocation()
/getTokenLocation()
withcurrentLocation()
/currentTokenLocation()
inJsonParser
-
#673: Replace
JsonGenerator.writeObject()
(and related) withwritePOJO()
-
#674: Replace
getCurrentValue()
/setCurrentValue()
withcurrentValue()
/assignCurrentValue()
inJsonParser
/JsonGenerator
- #677: Introduce O(n^1.5) BigDecimal parser implementation
- #687: ByteQuadsCanonicalizer.addName(String, int, int) has incorrect handling for case of q2 == null
- #692: UTF32Reader ArrayIndexOutOfBoundsException
- #694: Improve exception/JsonLocation handling for binary content: don't show content, include byte offset
- #700: Unable to ignore properties when deserializing. TokenFilter seems broken
-
#1850:
@JsonValue
with integer for enum does not deserialize correctly -
#2509:
AnnotatedMethod.getValue()/setValue()
doesn't have useful exception message -
#2828: Add
DatabindException
as intermediate subtype ofJsonMappingException
- #2900: Jackson does not support deserializing new Java 9 unmodifiable collections
- #2989: Allocate TokenBuffer instance via context objects (to allow format-specific buffer types)
-
#3001: Add mechanism for setting default
ContextAttributes
forObjectMapper
-
#3002: Add
DeserializationContext.readTreeAsValue()
methods for more convenient conversions for deserializers to use - #3011: Clean up support of typed "unmodifiable", "singleton" Maps/Sets/Collections
-
#3033:
MapperFeature
to uselong
internally -
#3035: Add
removeMixIn()
method inMapperBuilder
-
#3036: Backport
MapperBuilder
lambda-taking methods:withConfigOverride()
,withCoercionConfig()
,withCoercionConfigDefaults()
- #3080: configOverrides(boolean.class) silently ignored, whereas .configOverride(Boolean.class) works for both primitives and boxed boolean values
-
#3082: Dont track unknown props in buffer if
ignoreAllUnknown
is true -
#3091: Should allow deserialization of java.time types via opaque
JsonToken.VALUE_EMBEDDED_OBJECT
- #3101: Add AnnotationIntrospector.XmlExtensions interface for decoupling javax dependencies
- #3110: Custom SimpleModule not included in list returned by ObjectMapper.getRegisteredModuleIds() after registration
- #3117: Use more limiting default visibility settings for JDK types (java., javax.)
-
#3122: Deep merge for
JsonNode
usingObjectReader.readTree()
- #3125: IllegalArgumentException: Conflicting setter definitions for property with more than 2 setters
-
#3130: Serializing
java.lang.Thread
fails on JDK 11+ -
#3143: String-based
Map
key deserializer is not deterministic when there is no single arg constructor - #3154: Add ArrayNode#set(int index, primitive_type value)
- #3160: JsonStreamContext "currentValue" wrongly references to @JsonTypeInfo annotated object
-
#3174: DOM
Node
serialization omits the default namespace declaration -
#3177: Support
suppressed
property when deserializingThrowable
-
#3187:
AnnotatedMember.equals()
does not work reliably - #3193: Add MapperFeature.APPLY_DEFAULT_VALUES, initially for Scala module
-
#3214: For an absent property Jackson injects
NullNode
instead ofnull
to a JsonNode-typed constructor argument of a@ConstructorProperties
-annotated constructor -
#3217:
XMLGregorianCalendar
doesn't work with default typing -
#3227: Content
null
handling not working for root values - #3234: StdDeserializer rejects blank (all-whitespace) strings for ints
-
#3235:
USE_BASE_TYPE_AS_DEFAULT_IMPL
not working withDefaultTypeResolverBuilder
- #3238: Add PropertyNamingStrategies.UpperSnakeCaseStrategy (and UPPER_SNAKE_CASE constant)
- #3244: StackOverflowError when serializing JsonProcessingException
-
#3259: Support for BCP 47
java.util.Locale
serialization/deserialization - #3271: String property deserializes null as "null" for JsonTypeInfo.As.EXISTING_PROPERTY
- #3302: Serialize formerly unserializable Jackson types like ObjectMapper as Empty Object value
-
#3397: Optimize
JsonNodeDeserialization
wrt recursion
-
#283: Add
logicalType
support for somejava.time
types; addAvroJavaTimeModule
for native ser/deser - #290: Generate logicalType switch
- #239: Should validate UTF-8 multi-byte validity for short decode path too
-
#253: Make
CBORFactory
supportJsonFactory.Feature.CANONICALIZE_FIELD_NAMES
- #264: Handle case of BigDecimal with Integer.MIN_VALUE for scale gracefully
- #272: Uncaught exception in CBORParser._nextChunkedByte2 (by ossfuzze
- #273: Another uncaught exception in CBORParser._nextChunkedByte2 (by ossfuzzer)
-
#284: Support base64 strings in
getBinaryValue()
for CBOR and Smile -
#289:
ArrayIndexOutOfBounds
for truncated UTF-8 name
-
#240: Split
CsvMappingException
intoCsvReadException
/CsvWriteException
-
#270: Should not quote with strict quoting when line starts with
#
but comments are disabled -
#283:
CsvSchema.getColumnDesc()
returns unpaired square bracket when columns are empty
-
#295:
jackson-dataformat-ion
does not handle null.struct deserialization correctly
-
#252: Make
SmileFactory
supportJsonFactory.Feature.CANONICALIZE_FIELD_NAMES
-
#276: Add
SmileGenerator.Feature.LENIENT_UTF_ENCODING
for lenient handling of broken Unicode surrogate pairs on writing -
#284: Support base64 strings in
getBinaryValue()
for CBOR and Smile -
#291:
ArrayIndexOutOfBounds
for truncated UTF-8 name
- #219: Add TOML (https://en.wikipedia.org/wiki/TOML) support!
-
#441: Add
ToXmlGenerator.Feature.UNWRAP_ROOT_OBJECT_NODE
(to avoid rootObjectNode
wrapper element) - #442: Missing START_OBJECT token in complex element starting with text
-
#462: Remove
jackson-module-jaxb-annotations
runtime dependency (leave as a test dep). Also upgrade to use new "Jakarta" variety of annotations - #463: NPE via boundary condition, document with only XML declaration
- #465: ArrayIndexOutOfBoundsException in UTF8Reader (ossfuzz)
- #467: Ignore contents of elements annotated with xsi:nil="true" (when xsi:nil handling enabled)
-
#468: Add
FromXmlParser.Feature.PROCESS_XSI_NIL
to allow disabling processing ofxsi:nil
attributes on reading - #474: Empty String ("") parsed as 0 for int even if DeserializationFeature.FAIL_ON_NULL_FOR_PRIMITIVES enabled (note: actual fix in `jackson-databind)
- #483: Explicitly pass ClassLoader of XmlFactory when creating Stax input/output factory, instead of context ClassLoader
- #485: Deserialization with XmlMapper and DeserializationFeature.UNWRAP_ROOT_VALUE no longer works in 2.12
- #139: Drop support for Hibernate 3.x from Jackson 2.13
-
#144: Add new module (
jackson-datatype-hibernate5-jakarta
) to support Jakarta EE for Hibernate 5.5
- #131: Deserializing ZonedDateTime with basic TZ offset notation (0000)
- #212: Make LocalDateDeserializer consider strict/lenient on accepting (or not) of "time" part
-
#8: Improve error handling of "joda-money"
MoneyDeserializer
,CurrencyUnitDeserializer
- #141: Blackbird fails to deserialize varargs array
-
#130: Addition of new
jackson-module-jakarta-xmlbind-annotations
module- Supports
jakarta.xml.bind
flavor of "new" JAXB annotations, instead of oldjavax.xml.bind
annotations (which are still covered by existing "old"jackson-module-jaxb-annotations
module)
- Supports
Changes, JAX-RS providers
-
#134: Remove work-around for JAX-RS 1.x wrt JAX-RS 2 type
NoContentException
-
#146: Add separate "Jakarta [format] provider"s for 2.13
- Provides new
jakarta.ws.rs
("Jakarta-RS") provider implementations; replacements for "javax"/JAX-RS providers
- Provides new
-
#438: Fixed mapping failure when
private
companion object
is named - #447: Fix edge case when dealing with sealed classes
- #468: Improved support for value classes
- #477: Improved documentation for KotlinFeature
- #489: Extension functions for JsonNode, ArrayNode and ObjectNode
-
#490: Fix deserialization of missing value (was
NullNode
, now literalnull
) - #494: Improved documentation for ProGuard users
- #496: Fix type erasure in treeToValue() extension function
- #211: Deserialization of case object creates a new instance of case object
- #296: JsonSerializable gets ignored on classes implementing Map
- #382: Option field deserialization failure
- #443: Objects in tuples are not serialized as ids
- #479: Scala3 support
- #503: big improvement to ClassTagExtensions, the Scala3 friendly replacement for ScalaObjectMapper. Big thanks to Gaël Jourdan-Weil.
- #512: add support for recognising Scala3 classes (TastyUtil)
- #514: support MapperFeature.APPLY_DEFAULT_VALUES (defaults to true)
- #545: (Experimental) support for registering reference types (when they can't be inferred)
- #79: Reuse of ClassKey in ValueWriterLocator not working
- #80: Case-insensitive property, enum deserialization should be supported
-
#81:
JsrValue
should implementequals()
-
#83: Support
@JsonProperty
annotation on enum values - #84: Public static fields are included in serialized output
-
#88: Make
jr-stree
dependency tojr-objects
optional