Jackson Release 2.15

Jackson Version 2.15 is being developed as of March 2023.

There is tentative goal of getting the first Release Candidate out by March 2023.

This wiki page gives a list of links to all changes (with brief descriptions) that will be included, as well as about some of the active plans for changes and fixes to include.

---

Status

Branch is about to be released as of March 2023: 2.15.0-final expected by mid-April. So far released

• 2.15.0-rc1: 18-Mar-2023
• 2.15.0-rc2: 28-Mar-2023

Patches

No release yet

Documentation

None written yet.

Changes, compatibility

Compatibility: platform requirements

JDK

Same as Jackson 2.14

Kotlin

Jackson 2.15 no longer supports Kotlin 1.4 -- supported versions are 1.5 - 1.8

Compatibility: transitive dependencies

YAML format module

As per YAML#390 SnakeYAML dependency upgrade to Snakeyaml 2.0 from 1.33, to resolve CVE-2022-1471.

Despite seeming major version upgrade, should NOT affect compatibility of Jackson YAML format module -- SnakeYAML version scheme only uses 2 digits so this is more like a minor version upgrade, affecting API that Jackson does not use. Jackson YAML module will still work with older version of SnakeYAML (such as 1.33) so if necessary, users can forcible downgrade it if necessary for compatibility reasons with other libraries, frameworks.

Guava Module

Default/baseline Guava dependency now 23.6.1-jre (was 21.0 in 2.14), but module still works with full range of Guava versions from 14.0 to the latest (31.1-jre as of writing this)

Compatibility: build/artifact changes

Build JDK changes

• Hibernate module build now requires JDK 11 (due to Hibernate 6 module)

Jar changes

• jackson-core is now a Multi-Release jar to support more optimal handling for newer JDKs wrt number parsing.

Changes, behavior

Processing Limits

General

2.15 adds maximum token limits for different tokens as described below. All limits are:

• Expressed in input units -- bytes or chars -- depending on input source
• Defined as longest allowed length, but not necessarily imposed at 100% accuracy: that is, if maximum allowed length is specified as 1000 units, something with length of, say 1003 may not cause exception (but 1500 would)
• Defined in new StreamReadConstraints class, configurable on per-JsonFactory basis

Maximum number token lengths

Implementation of jackson-core#827 sets up upper limit on maximum length of numeric tokens read from input. Default limit is:

• Maximum 1000 for both integral and floating-point numbers.

Note that dataformat modules need to add support for enforcing the limits so coverage may vary: as usual, JSON parser will have the widest coverage initially.

Maximum String value length

Implementation of jackson-core#863 sets up upper limit on maximum length of String values read from input. Default limit is:

• Maximum of 1_000_000 (1 million) input units (bytes/chars depending on input source)

Changes, behavior, other

• Java 8 Date/Time handling:
  • https://github.com/FasterXML/jackson-modules-java8/pull/267: Normalize zone id during ZonedDateTime deserialization

---

Major focus areas, features included

Processing limits

• Implemented limits -- as explained earlier -- for
  • Maximum String and Number token lengths
  • Maximum input nesting

Further number decoding performance optimizations

Use of FastDoubleParser library in more places, more widely (2.14 already used it in some places) may yield incremental performance improvements. Also uses the latest release of FDP.

Other Most Wanted Issues included

• #2667: Add @EnumNaming, EnumNamingStrategy to allow use of naming strategies for Enums
• #2968: Deserialization of @JsonTypeInfo annotated type fails with missing type id even for explicit concrete subtypes

---

Full Change list

Changes, core

Annotations

• #211: Add JsonFormat.Features: READ_UNKNOWN_ENUM_VALUES_AS_NULL, READ_UNKNOWN_ENUM_VALUES_USING_DEFAULT_VALUE

Streaming

• #827: Add numeric value size limits via StreamReadConstraints (fixes sonatype-2022-6438)
• #844: Add SLSA provenance via build script
• #851: Add StreamReadFeature.USE_FAST_BIG_NUMBER_PARSER to enable faster BigDecimal, BigInteger parsing
• #863: Add StreamReadConstraints limit for longest textual value to allow (default: 1M)
• #865: Optimize parsing 19 digit longs
• #898: Possible flaw in TokenFilterContext#skipParentChecks()
• #902: Add Object JsonParser.getNumberValueDeferred() method to allow for deferred decoding in some cases
• #921: Add JsonFactory.Feature.CHARSET_DETECTION to disable charset detection
• #948: Use StreamConstraintsException in name canonicalizers
• #968: Prevent inefficient internal conversion from BigDecimal to BigInteger wrt ultra-large scale
• #984: Add JsonGenerator.copyCurrentEventExact as alternative to copyCurrentEvent()
• Build uses package type "jar" but still produces valid OSGi bundle (changed needed to keep class timestamps with Reproducible Build)

Databind

• #2536: Add EnumFeature.READ_ENUM_KEYS_USING_INDEX to work with existing "WRITE_ENUM_KEYS_USING_INDEX"
• #2667: Add @EnumNaming, EnumNamingStrategy to allow use of naming strategies for Enums
• #2968: Deserialization of @JsonTypeInfo annotated type fails with missing type id even for explicit concrete subtypes
• #2974: Null coercion with @JsonSetter does not work with java.lang.Record
• #2992: Properties naming strategy do not work with Record
• #3053: Allow serializing enums to lowercase (EnumFeature.WRITE_ENUMS_TO_LOWERCASE)
• #3180: Support @JsonCreator annotation on record classes
• #3262: InvalidDefinitionException when calling mapper.createObjectNode().putPOJO
• #3297: @JsonDeserialize(converter = ...) does not work with Records
• #3342: JsonTypeInfo.As.EXTERNAL_PROPERTY does not work with record wrappers
• #3352: Do not require the usage of opens in a modular app when using records
• #3566: https://github.com/FasterXML/jackson-databind/issues/3566
• #3637: Add enum features into @JsonFormat.Feature
• #3638: Case-insensitive and number-based enum deserialization are (unnecessarily) mutually exclusive
• #3651: Deprecate "exact values" setting from JsonNodeFactory, replace with JsonNodeFeature.STRIP_TRAILING_BIGDECIMAL_ZEROES
• #3654: Infer @JsonCreator(mode = Mode.DELEGATING) from use of @JsonValue)
• #3676: Allow use of @JsonCreator(mode = Mode.PROPERTIES) creator for POJOs with "empty String" coercion
• #3680: Timestamp in classes inside jar showing 02/01/1980
• #3682: Transient Fields are not ignored as Mutators if there is visible Getter
• #3690: Incorrect target type for arrays when disabling coercion
• #3708: Seems like java.nio.file.Path is safe for Android API level 26
• #3730: Add support in TokenBuffer for lazily decoded (big) numbers
• #3736: Try to avoid auto-detecting Fields for Record types
• #3742: schemaType of LongSerializer is wrong
• #3745: Deprecate classes in package com.fasterxml.jackson.databind.jsonschema
• #3748: DelegatingDeserializer missing override of getAbsentValue() (and couple of other methods)
• #3771: Classloader leak: DEFAULT_ANNOTATION_INTROSPECTOR holds annotation reference
• #3791: Flush readonly map together with shared on SerializerCache.flush()
• #3796: Enum Deserialisation Failing with Polymorphic type validator
• #3809: Add Stream-friendly alternative to ObjectNode.fields(): Set<Map.Entry<String, JsonNode>> properties()
• #3814: Enhance StdNodeBasedDeserializer to support readerForUpdating
• #3816: TokenBufferdoes not implement writeString(Reader reader, int len)
• #3819: Add convenience method SimpleBeanPropertyFilter.filterOutAll() as symmetric counterpart of serializeAll()
• #3836: Optional<Boolean> is not recognized as boolean field

Changes, data formats

CBOR

• #347: Add support for CBOR stringref extension (CBORGenerator.Feature.STRINGREF)
• #356: Add CBORGenerator.Feature.WRITE_MINIMAL_DOUBLES for writing doubles as floats if safe to do so
• #373: Remove optimized CBORParser.nextTextValue() implementation

TOML

• #387: Stack overflow (50083) found by OSS-Fuzz

XML

• #286: Conflict between @JsonIdentityInfo and Unwrapped Lists
• #533: (Android) java.lang.NoClassDefFoundError: Failed resolution of: Ljavax/xml/stream/XMLInputFactory
• #542: XmlMapper does not find no-argument record constructor for deserialization of empty XML
• #547: Parsing empty tags without default no-arguments constructor fails in 2.14
• #560: Add DefaultXmlPrettyPrinter.withCustomNewLine() to configure linefeed for XML pretty-printing
• #578: XmlMapper serializes @JsonAppend property twice
• #584: Deserialization of null String values in Arrays / Collections not working as expected

YAML

• #373: Positive numbers with plus sign not quoted correctly with ALWAYS_QUOTE_NUMBERS_AS_STRINGS
• #388: Add YAMLParser.Feature.PARSE_BOOLEAN_LIKE_WORDS_AS_STRINGS to allow parsing "boolean" words as strings instead of booleans
• #390: Upgrade to Snakeyaml 2.0 (resolves CVE-2022-1471)

Changes, datatypes

Guava

• #7: Add support for WRITE_SORTED_MAP_ENTRIES for Guava Multimaps
• #102: accept lowerCase enums for Range BoundType serialization
• #105: Update default Guava dependency for Jackson 2.15 from Guava 21.0 to 23.6.1-jre

Hibernate

• #158: Add jackson-datatype-hibernate6 for Hibernate 6

JSONP/JSR-353

• #31: Fix issue with BigInteger handling

Java 8 date/time

• #259: Wrong module auto-registered when using JPMS
• #266: Optimize InstantDeserializer method replaceZeroOffsetAsZIfNecessary()
• #267: Normalize zone id during ZonedDateTime deserialization

Changes, Other modules

Afterburner

• #190: Filter annotated by JsonInclude.Include.CUSTOM does not get called if the field is null with Afterburner/Blackbird module registered

Changes, JVM Languages

Kotlin

• #396: (regression) no default no-arguments constructor found
• #580: Lazy load UNIT_TYPE
• #627: Merge creator cache for Constructor and Method
• #628: Remove unnecessary cache
• #629: Changed to not cache valueParameters
• #631: Fix minor bugs in SimpleModule.addSerializer/addDeserializer
• #634: Fix ReflectionCache to be serializable
• #641: Fixed is-getter names to match parameters and fields
• #646: Drop Kotlin 1.4 support from Kotlin module 2.15
• #647: Added deprecation to MissingKotlinParameterException
• #654: Change MKPE.parameter property to transient(fixes #572)