So, Jackson 2.9.9 is now out (with jackson-module-scala 2.9.9 to be released soon), with following fixes:
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9 Of more than 20 fixes, one is for a security vulnerability (just one more gadget type for polymorphic deser), so upgrade is strongly recommended. After this release the main focus will be on getting 2.10.0.pr1 out as soon as possible -- ideally before end of May 2019, but at least during early June. As to 2.10, while there are lots of smaller changes, fixes (see https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.10), there are 2 important things for which pre-release candidate is needed in particular: 1. Java 9+ compatible module info is being added, so Jackson 2.10 and beyond should (eventually) work well with new JDK Module system, even without yet requiring use of Java 9 and beyond 2. Pluggable allow-listing approach to class validation for polymorphic deserialization: https://github.com/FasterXML/jackson-databind/issues/2195 which allows fully solving the main source of security vulnerabilities via Default Typing. -+ Tatu +- -- You received this message because you are subscribed to the Google Groups "jackson-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/CAL4a10iecr_49cxtFb8wzoKwxqxwHx9sV0HZW_9-qpXCzB1oHw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
