Jackson 2.13.0 release

@cowtowncoder
2 min readOct 29, 2021

Jackson 2.13.0 was officially released at the very end of Q3 of 2021. It includes almost 100 changes (bug fixes, new features).
Since I wrote “Sneak Peek at Jackson 2.13” a bit before the release, I thought it’d make sense to have a look if anything changed between that and actual release and write an update.

Looking at the 2.13 release notes, earlier blog post, the short answer is that the “Sneak Peek” covers the main changes — if you have read it, there isn’t much to add.
So instead of rewriting what was already explained I will just do a quick summary over areas of changes.

Compatibility Changes

  • Java 8 is now the baseline for almost all modules (minus jackson-annotations, jackson-core (streaming API, json) and jackson-jr) — not a big change to users but does allow use of Java 8 constructs by Jackson 2.x components finally.
  • Javax/Jakarta compatibility improvements: a new set of components introduced along “old Javax” (JAXB, JAX-RS, JSON-P) support components — new ones have “jakarta” in their name (for Jakarta-XML-binding, Jakarta-rs, jakarta-jsonp and so on). This approach differs from 2.12 where some modules (JAXB, JAX-RS) offered Maven classifier-based variants.

New Functionality

There is now support for TOML textual format with jackson-dataformat-toml (included under jackson-dataformats-text Github repo). This functionality is most useful for reading .toml configuration files.

Dataformat improvements

Aside from core streaming (jackson-core) and databind ( jackson-databind), the vast majority of bug fixes and other improvements were for dataformat modules.

One big area of improvements concerns stricter error detection and handling for issues found by OSS Fuzz project (see “Fuzzing” for more information!) — big Thank You to OSS Fuzz contributors who created settings for CBOR, JSON, Smile and XML modules.

  • Avro: support for some Logical Types added
  • CBOR: much stricter checking of invalid content, error reporting (mostly issues found by OSS-Fuzz project)
  • CSV: a few bug fixes
  • Ion: one minor bug fix
  • Smile: similar to CBOR, stricter error checking (mostly for issues found by OSS-Fuzz)
  • XML: a lot of fixes to things like List deserialization, as well as some correctness issues OSS Fuzz found

Scala, Kotlin modules

Both Scala and Kotlin modules were also much improved: both had about a dozen fixes included. See respective 2.13 Release Notes sections for details.

What was left out, to be addressed in 2.14

One interesting question regarding scope of 2.13 is that of things that ended up getting left out due to timing:

  1. Rewrite of Property Introspection system — there are many well-known issues with handling of properties defined via @JsonCreator — and that cause issues with Java 14 Record types. I really hope to tackle this problem with 2.14.
  2. Addition of new more targeted “Feature” style on/off configuration: specifically for configuring handling of JsonNode , Java Enums and possibly Data/Time types (unified for Joda and Java 8 date/time types).
  3. Processing limits to help guard against certain types of Denial-of-Service attacks.

There is hoping that these will be included in 2.14 release.

--

--

@cowtowncoder

Open Source developer, most known for Jackson data processor (nee “JSON library”), author of many, many other OSS libraries for Java, from ClassMate to Woodstox