-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
Jackson Release 2.9
Version 2.9 was released on July 30th 2017.
There is a longer blog entry on major features, above and beyond information here.
Branch is not open for general releases and 2.9.10
was the last full patch release.
Some micro-patch versions have been released (see below), but with release of 2.9.10.8
on January 6, 2021, the branch is now officially closed and no releases of any kind are planned.
Beyond initial 2.9.0 (described here), following patch versions were released:
- 2.9.1 (07-Sep-2017)
- 2.9.2 (14-Oct-2017)
- 2.9.3 (09-Dec-2017)
- 2.9.4 (24-Jan-2018)
- 2.9.5 (26-Mar-2018)
- 2.9.6 (12-Jun-2018)
- 2.9.7 (19-Sep-2018)
- 2.9.8 (15-Dec-2018)
- 2.9.9 (16-May-2019)
- 2.9.10 (21-Sep-2019) -- see notes below on micro-patches
Following micro-patches have been or will be released:
-
jackson-databind
2.9.9.1
(03-Jul-2019) -
jackson-databind
2.9.9.2
(27-Jul-2019) -- withjackson-bom
version2.9.9.20190727
-
jackson-databind
2.9.9.3
(06-Aug-2019) -- withjackson-bom
version2.9.9.20190807
-
#2395:
NullPointerException
fromResolvedRecursiveType
(regression due to fix for #2331)
-
#2395:
-
jackson-databind
2.9.10.1
(20-Oct-2019) -- withjackson-bom
version2.9.10.20191020
-
jackson-databind
2.9.10.2
(03-Jan-2020) -
jackson-databind
2.9.10.3
(23-Feb-2020) -- withjackson-bom
version2.9.10.20200223
- #2620: Block one more gadget type (xbean-reflect/JNDI - CVE-2020-8840)
-
jackson-databind
2.9.10.4
(11-Apr-2020) -- withjackson-bom
version2.9.10.20200411
- #2631: Block one more gadget type (shaded-hikari-config, CVE-2020-9546)
- #2634: Block two more gadget types (ibatis-sqlmap, anteros-core; CVE-2020-9547 / CVE-2020-9548)
- #2642: Block one more gadget type (javax.swing, CVE-2020-10969)
- #2648: Block one more gadget type (shiro-core)
- #2653: Block one more gadget type (shiro-core)
- #2658: Block one more gadget type (ignite-jta, CVE-2020-10650)
- #2659: Block one more gadget type (aries.transaction.jms, CVE-2020-10672)
- #2660: Block one more gadget type (com.caucho:quercus, CVE-2020-10673)
- #2662: Block one more gadget type (bus-proxy, CVE-2020-10968)
- #2664: Block one more gadget type (activemq-jms, CVE-2020-11111)
- #2666: Block one more gadget type (apache/commons-proxy, CVE-2020-11112)
- #2670: Block one more gadget type (openjpa, CVE-2020-11113)
- #2680: Block one more gadget type (spring-jpa, CVE-2020-11619)
- #2682: Block one more gadget type (commons-jelly, CVE-2020-11620)
-
jackson-databind
2.9.10.5
(21-Jun-2020) -- withjackson-bom
version2.9.10.20200621
-
jackson-databind
2.9.10.6
(24-Aug-2020) -- withjackson-bom
version2.9.10.20200824
-
jackson-databind
2.9.10.7
(02-Dec-2020) -- withjackson-bom
version2.9.10.20201202
-
jackson-databind
2.9.10.8
(06-Jan-2021) -- withjackson-bom
version2.9.10.20210106
- #2986: Block 2 more gadget types (commons-dbcp2, CVE-2020-35490/CVE-2020-35491)
- #2996: Block 2 more gadget types (newrelic-agent)
- #2997: Block 2 more gadget types (tomcat/naming-factory-dbcp)
- #2998: Block 2 more gadget types (org.apache.tomcat/tomcat-dbcp)
- #2999: Block 1 more gadget type (org.glassfish.web/javax.servlet.jsp.jstl, CVE-2020-35728)
- #3003: Block one more gadget type (xxx, CVE to be allocated)
- #3004: Block one more DBCP-related potential gadget class
No changes from 2.8: Java 7 features available for all modules (meaning, need to compile on Java 7), JDK/JVM 7 is the baseline, except:
-
jackson-annotations
,jackson-core
(streaming) andjackson-jr
still only require JDK/JVM 6 - Java 8 modules, Kotlin, Scala module require JDK/JVM 8
Other modules could theoretically run on Java 6 with reduced features (i.e. avoid loading Java 7 types), but have compiled compiled with -target 1.7
setting so bytecode unfortunately requires JDK 7.
It should be possible to post-process jars, however, to produce JDK 6 - compatible jars.
No changes: similar to Jackson 2.8 minimum is Android 4.4
, API-level 19
(see this dashboard for example).
Note that version 2.7
will work with older Android versions; and there are some reports that even 2.8
may actually work (even if not specified to).
First official version of jackson-dataformat-ion
(under jackson-dataformats-binary
repo) supports Amazon Ion binary data format.
As per databind#219 java.sql.Date
will finally use same "timestamp-or-String" determination as java.util.Date
and java.util.Calendar
.
This means that with vanilla, unchanged settings, values will be serialized as numeric timestamps.
Note that the default String serialization will still default to java.sql.Date.String()
, and not to default formatting java.util.Date
uses.
- Add separate exception type for "pojo configuration problem" (
InvalidDefinitionException
), distinct from "json input" problem (MismatchedInputException
); in general to distinguish between bad configuration (server-side issue) and bad data (client issue) #1356 - Per-property custom serialization inclusion (
@JsonInclude(value=Include.CUSTOM, valueFilter=MyExcluder.class
) #888 - Per-property overwrite-vs-merge annotation/handling, to allow for merging of configuration information (for example) #1399
- note: on-going work to increase coverage; most types should work
- Ability to override handling of
null
for deserialization #1402 - Aliases, to allow migration: alternate property id names to accept (but not write) #1029
- Non-blocking JSON/Smile parser #57
-
DeserializationFeature
to automatically verify that value bound is full value and there is no trailing junk in input ("whole value verification") #1583
From original "big items" list, a few were left out:
- Ability to force "inject-only" variant of
@JacksonInject
#1381 -- also solves a few related issues wrt un-deserializable injectable values (which are common) - Allow pre-defining Object Ids; pluggable Object Id converters? #693
- Rewrite of property/creator introspection code, to resolve most open issues wrt Creator auto-detection and name-detection
- NOTE: partial rewrite occurred for 2.12
- A way to force a supertype as type id to use during serialization: this is needed to avoid deserialization problems for things like concrete Hibernate collection type. #789
- Protobuf: Schema building by hand
- "Safe"
ObjectReader
,ObjectWriter
; that is, ones that does NOT throw checked exceptions (wrapIOException
s), to work better with Java 8 Streams #779- NOTE: decided against this approach -- instead, Jackson 3.0 will change
JsonProcessingException
to be unchecked, to prevent need for "safe" alternative
- NOTE: decided against this approach -- instead, Jackson 3.0 will change
- Support for
@JsonIncludeProperties
(opposite of@JsonIgnoreProperties
) #1296- NOTE: finally implement in Jackson 2.1
In addition, during development of 2.9, couple of new great ideas surfaced, but could not yet be implemented due to time constraints:
- Low-level
String
post-processor? jackson-core#355 - Comma-separated "ints in a String" #1242
- Support for automated
FormatSchema
configuration/lookup: #1582- Would be especially useful for cases where caller does not have full control; for example, when using as extension for frameworks like JAX-RS
-
@JsonUnwrapped
improvements, which need major rewrite of unwrapped deserialization:- Support for
@JsonUnwrapped
as@JsonCreator
parameter - Catching "unknown" properties
- Support for
Ideally the next minor version (or, as the case may be, major...) -- 3.0 -- would start by considering these features as the starting Big Ticket item list.
-
#103: Add
JsonInclude.Include.CUSTOM
, properties for specifying filter(s) to use -
#104: Add new properties in
@JsonSetter
:nulls
/contentNulls
-
#105: Add
@JsonFormat.lenient
to allow configuring lenience of date/time deserializers -
#108: Allow
@JsonValue
on fields -
#109: Add
enabled
for@JsonAnyGetter
,@JsonAnySetter
, to allow disabling via mix-ins -
#113: Add
@JsonMerge
to support (deep) merging of properties -
#116: Add
@JsonAlias
annotation to allow specifying alternate names for a property - Allow use of
@JsonView
on classes, to specify Default View to use on non-annotated properties.
- #17: Add 'JsonGenerator.writeString(Reader r, int charLength)'
- #57: Add support for non-blocking ("async") JSON parsing
-
#208: Make use of
_matchCount
inFilteringParserDelegate
-
#306: Add new method in
JsonStreamContext
to constructJsonPointer
-
#312: Add
JsonProcessingException.clearLocation()
to allow clearing possibly security-sensitive information -
#314: Add a method in
JsonParser.isNan()
to allow checking for "NaN" values -
#323: Add
JsonParser.ALLOW_TRAILING_COMMA
to work for Arrays and Objects -
#325:
DataInput
backed parser should handleEOFException
at end of doc -
#356: Improve indication of "source reference" in
JsonLocation
wrtbyte[]
,char[]
- #374: Minimal and DefaultPrettyPrinter with configurable separators
-
#219:
SqlDateSerializer
does not obeySerializationConfig.Feature.WRITE_DATES_AS_TIMESTAMPS
-
#291:
@JsonTypeInfo
withAs.EXTERNAL_PROPERTY
doesn't work if external type property is referenced more than once -
#357:
StackOverflowError
with contentConverter that returns array type -
#383: Recursive
@JsonUnwrapped
(child
with same type) fail: "No _valueDeserializer assigned" - #403: Make FAIL_ON_NULL_FOR_PRIMITIVES apply to primitive arrays and other types that wrap primitives
-
#476: Allow "Serialize as POJO" using
@JsonFormat(shape=Shape.OBJECT)
class annotation -
#507: Support for default
@JsonView
for a class -
#888: Allow specifying custom exclusion comparator via
@JsonInclude
, usingJsonInclude.Include.CUSTOM
-
#994:
DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS
only works for POJOs, Maps - #1029: Add a way to define property name aliases
-
#1035:
@JsonAnySetter
assumes key ofString
, does not consider declared type -
#1106: Add
MapperFeature.ALLOW_COERCION_OF_SCALARS
for enabling/disabling coercions -
#1284: Make
StdKeySerializers
use newJsonGenerator.writeFieldId()
forint
/long
keys -
#1320: Add
ObjectNode.put(String, BigInteger)
-
#1341:
DeserializationFeature.FAIL_ON_MISSING_EXTERNAL_TYPE_ID_PROPERTY
-
#1347: Extend
ObjectMapper.configOverrides()
to allow changing visibility rules - #1356: Differentiate between input and code exceptions on deserialization
-
#1369: Improve
@JsonCreator
detection viaAnnotationIntrospector
by passingMappingConfig
-
#1371: Add
MapperFeature.INFER_CREATOR_FROM_CONSTRUCTOR_PROPERTIES
to allow disabling use of@CreatorProperties
as explicit@JsonCreator
equivalent - #1376: Add ability to disable JsonAnySetter/JsonAnyGetter via mixin
-
#1399: Add support for
@JsonSetter(merge=OptBoolean.TRUE
) to allow "deep update" -
#1402: Use
@JsonSetter(nulls=...)
to specify handling ofnull
values during deserialization -
#1406:
ObjectMapper.readTree()
methods do not returnnull
on end-of-input -
#1407:
@JsonFormat.pattern
is ignored forjava.sql.Date
valued properties -
#1428: Allow
@JsonValue
on a field, not just getter -
#1454: Support
@JsonFormat.lenient
forjava.util.Date
,java.util.Calendar
-
#1480: Add support for serializing
boolean
/Boolean
as number (0 or 1) - #1520: Case insensitive enum deserialization feature.
-
#1522: Global
@JsonInclude(Include.NON_NULL)
for all properties with a specific type - #1552: Map key converted to byte array is not serialized as base64 string
-
#1554: Support deserialization of
Shape.OBJECT
("as POJO") forMap
s (and map-like types) -
#1556: Add
ObjectMapper.updateValue()
method to update instance with given overrides -
#1583: Add a
DeserializationFeature.FAIL_ON_TRAILING_TOKENS
to force reading of the whole input as single value -
#1605: Allow serialization of
InetAddress
as simple numeric host address -
#1678: Rewrite
StdDateFormat
ISO-8601 handling functionality
- #13: Add support for Avro default values
-
#14: Add support for Avro annotations via
AvroAnnotationIntrospector
- #15: Add a way to produce "file" style Avro output
-
#56: Replace use of
BinaryDecoder
with direct access -
#57: Add support for
@Stringable
annotation -
#59: Add support for
@AvroAlias
annotation for Record/Enum name evolution -
#60: Add support for
@Union
and polymorphic types -
#63: Implement native
float
handling for parser - #69: Add support for @AvroEncode annotation
-
#95: Add new method,
withUnsafeReaderSchema
inAvroSchema
to allow avoiding verification exception - Upgrade
avro-core
dep from 1.7.7 to 1.8.1
-
#127: Add
CsvGenerator.Feature.ALWAYS_QUOTE_EMPTY_STRINGS
to allow forced quoting of empty Strings - #130: Add fluent addColumns operation to CsvSchema.Builder
-
#137: Inject "missing" trailing columns as
null
s (CsvParser.Feature.INSERT_NULLS_FOR_MISSING_COLUMNS
) -
#139: Add
CsvParser.Feature.ALLOW_TRAILING_COMMA
to allow enforcing strict handling -
#140: Fail for missing column values (
CsvParser.Feature.FAIL_ON_MISSING_COLUMNS
) -
#142: Add methods for appending columns of a
CsvSchema
into another - Add new exception type
CsvMappingException
to indicate CSV-mapping issues (and give access to effective Schema)
-
#64: Implement native
float
handling for parser - #68: Getting "type not supported as root type by protobuf" for serialization of short and UUID types
- #79: Fix wire type for packed arrays
- #1: Add convenience method(s) for reading System properties
-
#3: Write into
Properties
instance (factory, mapper) usingJavaPropsMapper.writeValue()
withProperties
andJavaPropsMapper.writeValueAsProperties()
-
#4: Allow binding from
Properties
instance
- #162: XML Empty tag to Empty string in the object during xml deserialization
-
#232: Implement
writeRawValue
inToXmlGenerator
-
#245: Default
DeserializationFeature.ACCEPT_EMPTY_STRING_AS_NULL_OBJECT
to "enabled" forXmlMapper
-
#246: Add new feature,
FromXmlParser.Feature.EMPTY_ELEMENT_AS_NULL
-
#250: Deserialization of
Exception
serialized as XML fails
-
#67: Add
YAMLGenerator.Feature.INDENT_ARRAYS
-
#76: Add
YAMLGenerator.Feature.LITERAL_BLOCK_STYLE
for String output
- #3: (datatype) Add Serialization Support for Streams
-
#20: (datetime) Allow
LocalDate
to be serialized/deserialized as number (epoch day) -
#21: (datetime)
DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS
not respected
-
#119:
dependencies
property should not be an Array but Object