Skip to content

Upgrade Jackson version (2.14.3) #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
pjfanning opened this issue Nov 3, 2022 · 4 comments
Closed

Upgrade Jackson version (2.14.3) #7

pjfanning opened this issue Nov 3, 2022 · 4 comments
Assignees
@pjfanning
Milestone
1.0.0

Comments

@pjfanning
Copy link
Contributor

pjfanning commented Nov 3, 2022
edited
Loading

There is a performance issue for Java users when using jackson-module-scala v2.13.x. Not too many users have reported issues but it might be best to update any v2.13 dependency to v2.14.1 (or newer version). We can keep the v2.11.4 dependency for Scala 2.x. We can upgrade to jackson v2.14.x for all Scala versions after Pekko's initial release.

FasterXML/jackson-module-scala#576
@pjfanning pjfanning mentioned this issue Jan 12, 2023
Closed
@jrudolph jrudolph mentioned this issue Mar 27, 2023
Merged
@jrudolph
Copy link
Contributor

Actually, Jackson is a huge problem, since it leads to all kinds of compatibility problems in downstream projects.

apache/pekko-projection#19 shows a problem where we probably cannot release a 1.0.0 of pekko-projection without upgrading Jackson everywhere (i.e. we can release it but it won't work with pekko-persistence-cassandra which might be one of the main combination that people are using). The reason is that the last OS version of akka-projection is built against an old version of alpakka-cassandra (2.0.1) that we don't intend to support (pekko-connectors is based on alpakka 3).

IMO we should under no circumstances stay on Jackson 2.11 which is not supported any more and has all kinds of published security issues that will be immediately flagged for users. The question would still be which version to use instead (2.12, 2.13, or 2.14). This is hard to find out because so many potential combinations of subprojects need to be considered. Given the history of problems with Jackson, I would recommend going to the latest version (2.14) because that will hold up for the longest time.

Updating the version here will mean that we might pull up Jackson for our users. I consider that a much smaller problem (since there will be all kinds of challenges users might have while updating to Pekko) than staying on the old and broken version.

@pjfanning
Copy link
Contributor Author

Can't we downgrade the cassandra driver - to one that uses Jackson 2.11?

Jackson 2.12.7.1 has no CVEs if we want to upgrade but not go all the way to Jackson 2.14. Jackson 2.15 is out soon but that introduces a StreamReadConstraints setting that defaults to high limits but not unlimited values so we would probably need to add settings in reference.conf that allow users to choose higher limits.

@mdedetrich
Copy link
Contributor

mdedetrich commented Mar 27, 2023
edited
Loading

apache/pekko-projection#19 (review) is relevant

@pjfanning pjfanning mentioned this issue Mar 27, 2023
Closed
@pjfanning pjfanning changed the title Upgrade Jackson version (Scala 3 only) Upgrade Jackson version (2.14.2) Mar 27, 2023
@pjfanning pjfanning mentioned this issue Mar 27, 2023
Merged
@pjfanning pjfanning added this to the 1.0.0 milestone Apr 17, 2023
@pjfanning
Copy link
Contributor Author

this is done

@pjfanning pjfanning self-assigned this Apr 19, 2023
@pjfanning pjfanning changed the title Upgrade Jackson version (2.14.2) Upgrade Jackson version (2.14.3) Jun 13, 2023
@pjfanning pjfanning mentioned this issue Jun 13, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pjfanning pjfanning

Labels
None yet
Projects
No open projects
Pekko v1.0.0 release
Status: Done
Milestone
1.0.0
Development

No branches or pull requests
3 participants
@jrudolph @mdedetrich @pjfanning