Upgrade Jackson to the next open branch 2.10

[AmitAmar]

No description provided.

[troshko111]

That's 3 branches up, which includes quite a few changes, it'd need to have some wider validation. Is staying on 2.9.x viable for you?

[AmitAmar]

Hi, Thanks for your reply. Unfortunately, I didn't understand your question. I had upgrade the jackson version from: 2.9.10 --> 2.12.3 because some vulnerability (according to WhiteSource) [image: image.png] Can you please explain yourself? Thanks and have a nice day, Amit. ‫בתאריך יום ב׳, 17 במאי 2021 ב-19:59 מאת ‪troshko111‬‏ <‪ ***@***.***‬‏>:‬

…

That's 3 branches up, which includes quite a few changes, it'd need to have some wider validation. Is staying on 2.9.x viable for you? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#1388 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AJVF7DE6W6JX7VPZZ62HOY3TOFDOVANCNFSM425CHOIQ> .

[troshko111]

Sure, so Jackson has a number of "branches" in development, which differ in behavior (mostly minor but noticeable), see https://github.com/FasterXML/jackson/wiki/Jackson-Releases

We're on 2.9 branch which is closed so won't get new vulnerability patches, meaning we need to move on, agreed. But in your PR you're skipping through https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.10#changes-compatibility and https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.11 completely - note the list of changes and incompatibilities.

What I'm saying, the users or even Eureka may not work as expected and we need to double check those changes / compatibilities don't break anything.

It may be easier to do one step at a time, and move to 2.10 branch instead (it should have the patches for the current CVEs), and only verify that branch changes don't break anything, then in the future we can move to 2.11 and so on (until we're current).

Does it make sense?

[AmitAmar]

Hi there, Thank you for your explanation. Yes it makes sense to upgrade to 2.10 instead of 2.13. you're right. Can you please change it or I'll send a new PR? Thank you and have a nice day, Amit. ‫בתאריך יום ג׳, 18 במאי 2021 ב-0:45 מאת ‪troshko111‬‏ <‪ ***@***.***‬‏>:‬

…

Sure, so Jackson has a number of "branches" in development, which differ in behavior (mostly minor but noticeable), see https://github.com/FasterXML/jackson/wiki/Jackson-Releases We're on 2.9 branch which is closed so won't get new vulnerability patches, meaning we need to move on, agreed. But in your PR you're skipping through https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.10#changes-compatibility and https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.11 completely - note the list of changes and incompatibilities. What I'm saying, the users or even Eureka may not work as expected and we need to double check those changes / compatibilities don't break anything. It may be easier to do one step at a time, and move to 2.10 branch instead (it should have the patches for the current CVEs), and only verify that branch changes don't break anything, then in the future we can move to 2.11 and so on (until we're current). Does it make sense? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#1388 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AJVF7DHI6RO67T3UN7LGOLLTOGE7ZANCNFSM425CHOIQ> .

[troshko111]

Keep the PR, feel free to push a new commit.

[troshko111]

Superseded by #1393.

[AmitAmar]

Done :) #1395 BR, Amit. ‫בתאריך יום ג׳, 18 במאי 2021 ב-22:06 מאת ‪troshko111‬‏ <‪ ***@***.***‬‏>:‬

…

Keep the PR, feel free to push a new commit. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#1388 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AJVF7DDNTJ6YR4I6OLENM5TTOK3EBANCNFSM425CHOIQ> .