A found a cleaner way with SBT build engine to exclude all Jackson stuff coming from Jena : https://github.com/jmvanel/semantic_forms/blob/2b5bfb31a47376f86cfbb7f2820be1dbeada1a8b/scala/project/Common.scala#L21
But this does not fix the problem "JsonMappingException: Scala module 2.10.4 requires Jackson Databind version >= 2.10.0 and < 2.11.0 " . I failed to find other dependencies that would bring Jackson 2.11.3 . So either the SBT exclusion attempt does not work, or there is some other dependency bringing Jackson 2.11.3 ( Akka ? ) . Jean-Marc Vanel <http://semantic-forms.cc:9112/display?displayuri=http://jmvanel.free.fr/jmv.rdf%23me> +33 (0)6 89 16 29 52 Le sam. 12 déc. 2020 à 15:16, Andy Seaborne <[email protected]> a écrit : > > > On 11/12/2020 16:26, Jean-Marc Vanel wrote: > > I use latest Play Framework 2.8.5 with Scala (my project is > > https://github.com/jmvanel/semantic_forms). I try to upgrade my Jena > > dependency from 3.16.0 to 3.17.0 . > > I get this message when running: > > [error] com.fasterxml.jackson.databind.JsonMappingException: *Scala > module > > 2.10.4 requires Jackson Databind version >= 2.10.0 and < 2.11.0.* > > Indeed Jena requires jackson-databind 2.11.3 , while Play is at 2.10.4 . > I > > tried to add exclude("com.fasterxml.jackson.core", "jackson-databind" ) > in > > build.sbt to all Jena dependencies, but no result :( . > > Try excluding all com.fasterxml.jackson from the Jena dependency > declaration recursively. > > Jena would also get jackson from jsonld-java but excludes it. > > jsonld-java/0.13.2 currently at Jackson 2.11.x > > Jackson had a number of CVEs so taking control of the dependency in Jena > meant Jena could release specifying fixed versions. > > Jena should work with 2.10.* For the jsonld-java usage, there wasn't a > breaking change. > > 2.11.* has an architecture change than makes the 2.10.* CVE issues go > away by design. > > 2.12.x isn't a breaking change either for the usage made of it > (according to the test suite). > > Of course, jackson is used by many libraries so it could be picked up by > several paths. > > Andy > > > I added on Jena all the exclusions for each jackson dependency , even > > transitive , but problem is still here : > > > > exclude("com.fasterxml.jackson.core", "jackson-core" ) > > exclude("com.fasterxml.jackson.core", "jackson-databind" ) > > exclude("com.fasterxml.jackson.core", "jackson-annotations") > > exclude("com.fasterxml.jackson.datatype", "jackson-datatype" ) > > exclude("com.fasterxml.jackson.datatype", "jackson-datatypejsr310") > > exclude("com.fasterxml.jackson.datatype", "jackson-datatype-jdk8") > > exclude("com.fasterxml.jackson.module", "jackson-module-parameter-names") > > exclude("com.fasterxml.jackson.module", "jackson-module-scala") > > exclude("com.fasterxml.jackson.module", "jackson-module-paranamer") > > > > I have verified which artifacts are resolved by the build tool, by > > dependencyTree . > > The Jena requirements of the latest jenaVersion = "3.17.0" is > > :jackson-databind:2.11.3, which brings jackson-annotations and > jackson-core > > . > > > > Running show playDependencyClasspath , I get : > > [info] * Attributed(/home/jmv/.cache/coursier/v1/https/ > > > repo1.maven.org/maven2/com/fasterxml/jackson/core/jackson-core/2.11.3/jackson-core-2.11.3.jar > > ) > > [info] * Attributed(/home/jmv/.cache/coursier/v1/https/ > > > repo1.maven.org/maven2/com/fasterxml/jackson/core/jackson-annotations/2.11.3/jackson-annotations-2.11.3.jar > > ) > > [info] * Attributed(/home/jmv/.cache/coursier/v1/https/ > > > repo1.maven.org/maven2/com/fasterxml/jackson/datatype/jackson-datatype-jdk8/2.10.4/jackson-datatype-jdk8-2.10.4.jar > > ) > > [info] * Attributed(/home/jmv/.cache/coursier/v1/https/ > > > repo1.maven.org/maven2/com/fasterxml/jackson/datatype/jackson-datatype-jsr310/2.10.4/jackson-datatype-jsr310-2.10.4.jar > > ) > > [info] * Attributed(/home/jmv/.cache/coursier/v1/https/ > > > repo1.maven.org/maven2/com/fasterxml/jackson/core/jackson-databind/2.11.3/jackson-databind-2.11.3.jar > > ) > > > > I hoped to drop the Jackson Jena dependencies, and depend only on > > Jackson 2.10.4 like Play, but that 's not the case... > > > > Jean-Marc Vanel > > < > http://semantic-forms.cc:1952/display?displayuri=http://jmvanel.free.fr/jmv.rdf%23me > > > > +33 (0)6 89 16 29 52 > > Twitter: @jmvanel , @jmvanel_fr ; chat: irc://irc.freenode.net#eulergui > > Chroniques jardin > > < > http://semantic-forms.cc:1952/history?uri=http%3A%2F%2Fdbpedia.org%2Fresource%2FChronicle > > > > >
