Upgrade to Jackson 2.12.x

[gheine]

Jackson 2.12.0 was released in November 2020 (latest version is 2.12.3). Would it be possible to upgrade play-json before the 2.10.0 GA relase?

[SethTisue]

@marcospereira would a pull request on this be welcome, or do compatibility constraints preclude it?

[marcospereira]

Hum, I'm not sure we can jump directly to that version. Play tries to use the same version used by Akka 2.6, and the latest release there uses Jackson 2.11:

https://github.com/akka/akka/blob/ceac67050199fb3683115011aa793905e64a73aa/project/Dependencies.scala#L28

Are Jackson 2.11 and 2.12 binary compatible?

[gheine]

Play tries to use the same version used by Akka 2.6, and the latest release there uses Jackson 2.11:

Play-json is independent of play though (both in version and release cycles) and doesn't depend on akka?

Are Jackson 2.11 and 2.12 binary compatible?

Not sure, I would assume nothing.

[marcospereira]

It is independent, but we usually try to keep the projects in sync to avoid having too many branches to maintain and backport fixes. But I'm not strongly opposed to the update.

@mkurz, what do you think?

[mkurz]

@marcospereira IMHO we should not upgrade to 2.12.x in play-json yet. Like you said, we should keep versions in sync with akka and Play, which both in latest versions use jackson 2.11.4. Who knows which problems could arise for Play/akka projects when a newer jackson version is on the classpath... Also, people which use sbt 1.5 would probably get an error because of the incompatible versions (because of sbt's new version conflict behaviour). Plus people would open issues in the Play repo blaming Play breaking their apps...

@gheine If you are using play-json standalone, you can just override the jackson dependency. That should work for you or not?

[mkurz]

Also see this discussion with Ignasi: playframework/playframework#10541 (comment)

[gheine]

@gheine If you are using play-json standalone, you can just override the jackson dependency. That should work for you or not?

@mkurz will this not cause binary incompatibilities at runtime, if play-json is compiled against 2.11.x and at runtime I provide a 2.12.x jar? Case in point the comment in the playframework issue you linked:

We can't upgrade to 2.12.x because that's not compatible with 2.11

[mkurz]

@gheine Yeah, that could be a problem of course. I am not sure if Jackson 2.11 and 2.12 are binary compatible, so there definitely is a risk if you override the dependency. Is there a feature or bugfix in 2.12 that makes you want to upgrade Jjackson?

[gheine]

@mkurz the AWS Java SDK recently upgraded from Jackson 2.11 to 2.12, see https://aws.amazon.com/blogs/developer/aws-sdk-for-java-version-1-12/, and since we're using them together with play-json, we're stuck on the old version.

[acando86]

With jackson-databind CVE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36518 unlikely to be backported to 2.11/2.12 as per comment here FasterXML/jackson-databind#2816 (comment) and given the binary incompatibilities between the versions, is there any plan to bring play-json to a more recent version of jackson-databind?

[mkurz]

@acando86 Please see above comments, we are sticking with the jackson version that akka is using. You might want to file an issue in the akka repository.

[mkurz]

Please have a look my comment in #740, for the next major release IMHO it now makes sense to upgrade to latest Jackson for play-json and play itself.
For CVE-2020-36518 however I think users should upgrade the dependency themselves... Since I don't want to introduce breaking changes into production apps... So everyone has to test carefully. I will write an announcement about the CVE-2020-36518 in the GitHub Discussions soon.

[mkurz]

Please see playframework/playframework#11222 how to upgrade Jackson to latest version in your Play application.
The pull request to upgrade to latest jackson in play-json's main branch can be found here: #740