On 11/12/2020 16:26, Jean-Marc Vanel wrote:
I use latest Play Framework 2.8.5 with Scala (my project is
https://github.com/jmvanel/semantic_forms). I try to upgrade my Jena
dependency from 3.16.0 to 3.17.0 .
I get this message when running:
[error] com.fasterxml.jackson.databind.JsonMappingException: *Scala module
2.10.4 requires Jackson Databind version >= 2.10.0 and < 2.11.0.*
Indeed Jena requires jackson-databind 2.11.3 , while Play is at 2.10.4 . I
tried to add exclude("com.fasterxml.jackson.core", "jackson-databind" ) in
build.sbt to all Jena dependencies, but no result :( .
Try excluding all com.fasterxml.jackson from the Jena dependency
declaration recursively.
Jena would also get jackson from jsonld-java but excludes it.
jsonld-java/0.13.2 currently at Jackson 2.11.x
Jackson had a number of CVEs so taking control of the dependency in Jena
meant Jena could release specifying fixed versions.
Jena should work with 2.10.* For the jsonld-java usage, there wasn't a
breaking change.
2.11.* has an architecture change than makes the 2.10.* CVE issues go
away by design.
2.12.x isn't a breaking change either for the usage made of it
(according to the test suite).
Of course, jackson is used by many libraries so it could be picked up by
several paths.
Andy
I added on Jena all the exclusions for each jackson dependency , even
transitive , but problem is still here :
exclude("com.fasterxml.jackson.core", "jackson-core" )
exclude("com.fasterxml.jackson.core", "jackson-databind" )
exclude("com.fasterxml.jackson.core", "jackson-annotations")
exclude("com.fasterxml.jackson.datatype", "jackson-datatype" )
exclude("com.fasterxml.jackson.datatype", "jackson-datatypejsr310")
exclude("com.fasterxml.jackson.datatype", "jackson-datatype-jdk8")
exclude("com.fasterxml.jackson.module", "jackson-module-parameter-names")
exclude("com.fasterxml.jackson.module", "jackson-module-scala")
exclude("com.fasterxml.jackson.module", "jackson-module-paranamer")
I have verified which artifacts are resolved by the build tool, by
dependencyTree .
The Jena requirements of the latest jenaVersion = "3.17.0" is
:jackson-databind:2.11.3, which brings jackson-annotations and jackson-core
.
Running show playDependencyClasspath , I get :
[info] * Attributed(/home/jmv/.cache/coursier/v1/https/
repo1.maven.org/maven2/com/fasterxml/jackson/core/jackson-core/2.11.3/jackson-core-2.11.3.jar
)
[info] * Attributed(/home/jmv/.cache/coursier/v1/https/
repo1.maven.org/maven2/com/fasterxml/jackson/core/jackson-annotations/2.11.3/jackson-annotations-2.11.3.jar
)
[info] * Attributed(/home/jmv/.cache/coursier/v1/https/
repo1.maven.org/maven2/com/fasterxml/jackson/datatype/jackson-datatype-jdk8/2.10.4/jackson-datatype-jdk8-2.10.4.jar
)
[info] * Attributed(/home/jmv/.cache/coursier/v1/https/
repo1.maven.org/maven2/com/fasterxml/jackson/datatype/jackson-datatype-jsr310/2.10.4/jackson-datatype-jsr310-2.10.4.jar
)
[info] * Attributed(/home/jmv/.cache/coursier/v1/https/
repo1.maven.org/maven2/com/fasterxml/jackson/core/jackson-databind/2.11.3/jackson-databind-2.11.3.jar
)
I hoped to drop the Jackson Jena dependencies, and depend only on
Jackson 2.10.4 like Play, but that 's not the case...
Jean-Marc Vanel
<http://semantic-forms.cc:1952/display?displayuri=http://jmvanel.free.fr/jmv.rdf%23me>
+33 (0)6 89 16 29 52
Twitter: @jmvanel , @jmvanel_fr ; chat: irc://irc.freenode.net#eulergui
Chroniques jardin
<http://semantic-forms.cc:1952/history?uri=http%3A%2F%2Fdbpedia.org%2Fresource%2FChronicle>
