Oct 29, 2021

2 min read

Jackson 2.13.0 release

Jackson 2.13.0 was officially released at the very end of Q3 of 2021. It includes almost 100 changes (bug fixes, new features).
Since I wrote “Sneak Peek at Jackson 2.13” a bit before the release, I thought it’d make sense to have a look if anything changed between that and actual release and write an update.

Looking at the 2.13 release notes, earlier blog post, the short answer is that the “Sneak Peek” covers the main changes — if you have read it, there isn’t much to add.
So instead of rewriting what was already explained I will just do a quick summary over areas of changes.

Compatibility Changes

New Functionality

There is now support for TOML textual format with jackson-dataformat-toml (included under jackson-dataformats-text Github repo). This functionality is most useful for reading .toml configuration files.

Dataformat improvements

Aside from core streaming (jackson-core) and databind ( jackson-databind), the vast majority of bug fixes and other improvements were for dataformat modules.

One big area of improvements concerns stricter error detection and handling for issues found by OSS Fuzz project (see “Fuzzing” for more information!) — big Thank You to OSS Fuzz contributors who created settings for CBOR, JSON, Smile and XML modules.

Scala, Kotlin modules

Both Scala and Kotlin modules were also much improved: both had about a dozen fixes included. See respective 2.13 Release Notes sections for details.

What was left out, to be addressed in 2.14

One interesting question regarding scope of 2.13 is that of things that ended up getting left out due to timing:

  1. Rewrite of Property Introspection system — there are many well-known issues with handling of properties defined via @JsonCreator — and that cause issues with Java 14 Record types. I really hope to tackle this problem with 2.14.
  2. Addition of new more targeted “Feature” style on/off configuration: specifically for configuring handling of JsonNode , Java Enums and possibly Data/Time types (unified for Joda and Java 8 date/time types).
  3. Processing limits to help guard against certain types of Denial-of-Service attacks.

There is hoping that these will be included in 2.14 release.