Jackson 2.13.0 release

Jackson 2.13.0 was officially released at the very end of Q3 of 2021. It includes almost 100 changes (bug fixes, new features).
Since I wrote “Sneak Peek at Jackson 2.13” a bit before the release, I thought it’d make sense to have a look if anything changed between that and actual release and write an update.

Looking at the 2.13 release notes, earlier blog post, the short answer is that the “Sneak Peek” covers the main changes — if you have read it, there isn’t much to add.
So instead of rewriting what was already explained I will just do a quick summary over areas of changes.

Compatibility Changes

  • Javax/Jakarta compatibility improvements: a new set of components introduced along “old Javax” (JAXB, JAX-RS, JSON-P) support components — new ones have “jakarta” in their name (for Jakarta-XML-binding, Jakarta-rs, jakarta-jsonp and so on). This approach differs from 2.12 where some modules (JAXB, JAX-RS) offered Maven classifier-based variants.

New Functionality

Dataformat improvements

One big area of improvements concerns stricter error detection and handling for issues found by OSS Fuzz project (see “Fuzzing” for more information!) — big Thank You to OSS Fuzz contributors who created settings for CBOR, JSON, Smile and XML modules.

  • Avro: support for some Logical Types added
  • CBOR: much stricter checking of invalid content, error reporting (mostly issues found by OSS-Fuzz project)
  • CSV: a few bug fixes
  • Ion: one minor bug fix
  • Smile: similar to CBOR, stricter error checking (mostly for issues found by OSS-Fuzz)
  • XML: a lot of fixes to things like List deserialization, as well as some correctness issues OSS Fuzz found

Scala, Kotlin modules

What was left out, to be addressed in 2.14

  1. Rewrite of Property Introspection system — there are many well-known issues with handling of properties defined via @JsonCreator — and that cause issues with Java 14 Record types. I really hope to tackle this problem with 2.14.
  2. Addition of new more targeted “Feature” style on/off configuration: specifically for configuring handling of JsonNode , Java Enums and possibly Data/Time types (unified for Joda and Java 8 date/time types).
  3. Processing limits to help guard against certain types of Denial-of-Service attacks.

There is hoping that these will be included in 2.14 release.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store

Open Source developer, most known for Jackson data processor (nee “JSON library”), author of many, many other OSS libraries for Java, from ClassMate to Woodstox