On Mon, Dec 9, 2019 at 2:35 PM Ron Karim (Oracle Corp.) <[email protected]> wrote:
> Oracle corporation utilizes jackson_databind for many products and > components, we are using jackson_databind 2.9.9.3 with a Java 7 build > target. > > We would like to uptake the latest jackson_databind version 2.10.x due to > it's whitelisting security feature, hopefully cutting down on our numerous > (and costly) version uptakes due to CVE's against them. > > We wanted to assess the risk and effort of migrating to jackson_databind > 2.10 for the following poits: > > 1. Can we still use JDK 7 as target for 2.10 > Yes. JDK baseline has not changed. The only caveat is that it is not very easy these days to test JDK 7 compatibility, since all releases must be done using JDK 8 when releasing to OSS Nexus (use of JDK 7 theoretically possibly but requires some workarounds to included certificates not included by default or such), so we rely on community to report possible issues. > 2. Will current implementations using jackson_databind 2.9.9.3 work the > way they have been if we replace with jackson_databind 1.10.x ? Or is there > a risk, which will require us to mandate testing of all components using > jackson_databind (which is a big deal). > Any recommendations on our assessment would help us go forward effectively > with the migration (or not). > It should be safe: minor versions are not meant to introduce breaking changes. It is bit difficult to quantify the risk, but my personal feeling is that risk of minor version upgrade has gone down significantly since some of earlier 2.x versions, so that upgrade from 2.8 to 2.9 was much smoother than previous ones. So far I would expect 2.9->2.10 upgrade to be similarly safer than upgrade from, say, 2.5->2.6. Perhaps other users can share their experiences? I know that adoption of 2.10 has been relatively quick: https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind and Spring framework (just as an example) has already upgraded default Jackson version for Spring Boot to be 2.10. -+ Tatu +- > > Thanks > > -- > You received this message because you are subscribed to the Google Groups > "jackson-user" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jackson-user/cbf3f70b-07f6-4c34-b542-b09de31b9860%40googlegroups.com > <https://groups.google.com/d/msgid/jackson-user/cbf3f70b-07f6-4c34-b542-b09de31b9860%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "jackson-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/CAGrxA278BSVy-iRtqRU3NuT4Cv28nwqc3ey2q4BBJVi%2BkpY8fg%40mail.gmail.com.
