This update for jackson-databind, jackson-dataformats-binary, jackson-annotations, jackson-bom, jackson-core fixes the following issues: Security issues fixed: - CVE-2020-36518: Fixed a Java stack overflow exception and denial of service via a large depth of nested objects in jackson-databind. - CVE-2020-25649: Fixed an insecure entity expansion in jackson-databind which was vulnerable to XML external entity . - CVE-2020-28491: Fixed a bug which could cause `java.lang.OutOfMemoryError` exception in jackson-dataformats-binary. Non security fixes: jackson-annotations - update from version 2.10.2 to version 2.13.0: + Build with source/target levels 8 + Add "mvnw" wrapper + "JsonSubType.Type" should accept array of names + Jackson version alignment with Gradle 6 + Add "@JsonIncludeProperties" + Add "@JsonTypeInfo" + Ability to use "@JsonAnyGetter" on fields + Add "@JsonKey" annotation + Allow repeated calls to "SimpleObjectIdResolver.bindItem" for same mapping + Add "namespace" property for "@JsonProperty" + Add target "ElementType.ANNOTATION_TYPE" for "@JsonEnumDefaultValue" + "JsonPattern.Value.pattern" retained as , never exposed as "null" + Rewrite to use `ant` for building in order to be able to use it in packages that have to be built before maven jackson-bom - update from version 2.10.2 to version 2.13.0: + Configure moditect plugin with "jvmVersion11/jvmVersion" + jackson-bom manages the version of "junit:junit" + Drop "jackson-datatype-hibernate3" + Removed jakarta classifier variants of JAXB/JSON-P/JAX-RS modules due to the addition of new Jakarta artifacts + Add version for "jackson-datatype-jakarta-jsonp" module + Add version for "jackson-dataformat-toml" + Jakarta 9 artifact versions are missing from jackson-bom + Add default settings for "gradle-module-metadata-maven-plugin" + Add default settings for "build-helper-maven-plugin" + Drop "jackson-module-scala_2.10" entry + Add override for "version.plugin.bundle" to help build on JDK 15+ + Add missing version for jackson-datatype-eclipse-collections jackson-core - update from version 2.10.2 to version 2.13.0: + Build with source and target levels 8 + Misleading exception for input source when processing byte buffer with start offset + Escape contents of source document snippet for "JsonLocation._appendSourceDesc" + Add "StreamWriteException" type to eventually replace "JsonGenerationException" + Replace "getCurrentLocation"/"getTokenLocation" with "currentLocation"/"currentTokenLocation" in "JsonParser" + Replace "JsonGenerator.writeObject" with "writePOJO" + Replace "getCurrentValue"/"setCurrentValue" with "currentValue"/"assignCurrentValue" in "JsonParser"/"JsonGenerator + Introduce O BigDecimal parser implementation + ByteQuadsCanonicalizer.addName has incorrect handling for case of q2 == null + UTF32Reader ArrayIndexOutOfBoundsException + Improve exception/JsonLocation handling for binary content: don"t show content, include byte offset + Fix an issue with the TokenFilter unable to ignore properties when deserializing. + Optimize array allocation by "JsonStringEncoder" + Add "mvnw" wrapper + Optimize array allocation by "JsonStringEncoder" + Add back accidentally removed "JsonStringEncoder" related methods in "BufferRecyclers" + "ArrayOutOfBoundException" at "WriterBasedJsonGenerator.writeString" + Allow optional-padding for "Base64Variant" + More customizable TokenFilter inclusion + Publish Gradle Module Metadata + Add "StreamReadCapability" for further format-based/format-agnostic handling improvements + Add "JsonParser.isExpectedNumberIntToken" convenience method + Add "StreamWriteCapability" for further format-based/format-agnostic handling improvements + Add "JsonParser.getNumberValueExact" to allow precision-retaining buffering + Limit initial allocated block size by "ByteArrayBuilder" to max block size + Add "JacksonException" as parent class of "JsonProcessingException" + Make "JsonWriteContext.reset" and "JsonReadContext.reset" methods public + Deprecate "JsonParser.getCurrentTokenId" + Full LICENSE included in jar for easier access by compliancy tools + Fix NPE in "writeNumber" method of "UTF8JsonGenerator", "WriterBasedJsonGenerator" + Add a String Array write method in the Streaming API + Synchronize variants of "JsonGenerator#writeNumberField" with "JsonGenerator#writeNumber" + Add JsonGenerator#writeNumber method + Do not clear aggregated contents of "TextBuffer" when "releaseBuffers" called + "FilteringGeneratorDelegate" does not handle "writeString" + Optionally allow leading decimal in float tokens + Rewrite to use ant for building in order to be able to use it in packages that have to be built before maven + Parsing JSON with "ALLOW_MISSING_VALUE" enabled results in endless stream of "VALUE_NULL" tokens + Handle case when system property access is restricted + "FilteringGeneratorDelegate" does not handle "writeString" + DataFormatMatcher#getMatchedFormatName throws NPE when no match exists + "JsonParser.getCurrentLocation" byte/char offset update incorrectly for big payloads jackson-databind - update from version 2.10.5.1 to version 2.13.0: + "@JsonValue" with integer for enum does not deserialize correctly + "AnnotatedMethod.getValue/setValue" doesn"t have useful exception message + Add "DatabindException" as intermediate subtype of "JsonMappingException" + Jackson does not support deserializing new Java 9 unmodifiable collections + Allocate TokenBuffer instance via context objects + Add mechanism for setting default "ContextAttributes" for "ObjectMapper" + Add "DeserializationContext.readTreeAsValue" methods for more convenient conversions for deserializers to use + Clean up support of typed unmodifiable, singleton Maps/Sets/Collections + Extend internal bitfield of "MapperFeature" to be "long" + Add "removeMixIn" method in "MapperBuilder" + Backport "MapperBuilder" lambda-taking methods: "withConfigOverride", "withCoercionConfig", "withCoercionConfigDefaults" + configOverrides silently ignored, whereas .configOverride works for both primitives and boxed boolean values + Dont track unknown props in buffer if "ignoreAllUnknown" is true + Should allow deserialization of java.time types via opaque "JsonToken.VALUE_EMBEDDED_OBJECT" + Optimize AnnotatedConstructor.call case by passing explicit null + Add AnnotationIntrospector.XmlExtensions interface for decoupling javax dependencies + Custom SimpleModule not included in list returned by ObjectMapper.getRegisteredModuleIds after registration + Use more limiting default visibility settings for JDK types + Deep merge for "JsonNode" using "ObjectReader.readTree" + IllegalArgumentException: Conflicting setter definitions for property with more than 2 setters + Serializing java.lang.Thread fails on JDK 11 and above + String-based "Map" key deserializer is not deterministic when there is no single arg constructor + Add ArrayNode#set + JsonStreamContext currentValue wrongly references to "@JsonTypeInfo" annotated object + DOM "Node" serialization omits the default namespace declaration + Support "suppressed" property when deserializing "Throwable" + "AnnotatedMember.equals" does not work reliably + Add "MapperFeature.APPLY_DEFAULT_VALUES", initially for Scala module + For an absent property Jackson injects "NullNode" instead of "null" to a JsonNode-typed constructor argument of a "@ConstructorProperties"-annotated constructor + "XMLGregorianCalendar" doesn"t work with default typing + Content "null" handling not working for root values + StdDeserializer rejects blank strings for ints + "USE_BASE_TYPE_AS_DEFAULT_IMPL" not working with "DefaultTypeResolverBuilder" + Add PropertyNamingStrategies.UpperSnakeCaseStrategy + StackOverflowError when serializing JsonProcessingException + Support for BCP 47 "java.util.Locale" serialization/deserialization + String property deserializes null as null for JsonTypeInfo.As.EXISTING_PROPERTY + Can not deserialize json to enum value with Object-/Array-valued input, "@JsonCreator" + Fix to avoid problem with "BigDecimalNode", scale of "Integer.MIN_VALUE" + Extend handling of "FAIL_ON_NULL_FOR_PRIMITIVES" to cover coercion from String via "AsNull" + Add "mvnw" wrapper + Factory method generic type resolution does not use Class-bound type parameter + Deserialization of empty subtype with DEDUCTION failed + Merge findInjectableValues results in AnnotationIntrospectorPair + READ_UNKNOWN_ENUM_VALUES_USING_DEFAULT_VALUE doesn"t work with empty strings + "TypeFactory" cannot convert "Collection" sub-type without type parameters to canonical form and back + Fix for [modules-java8#207]: prevent fail on secondary Java 8 date/time types + EXTERNAL_PROPERTY does not work well with "@JsonCreator" and "FAIL_ON_UNKNOWN_PROPERTIES" + String property deserializes null as null for "JsonTypeInfo.As.EXTERNAL_PROPERTY" + Property ignorals cause "BeanDeserializer "to forget how to read from arrays + UntypedObjectDeserializer" mixes multiple unwrapped collections + Two cases of incorrect error reporting about DeserializationFeature + Bug in polymorphic deserialization with "@JsonCreator", "@JsonAnySetter", "JsonTypeInfo.As.EXTERNAL_PROPERTY" + Polymorphic subtype deduction ignores "defaultImpl" attribute + MismatchedInputException: Cannot deserialize instance of "com.fasterxml.jackson.databind.node.ObjectNode" out of VALUE_NULL token + Missing override for "hasAsKey" in "AnnotationIntrospectorPair" + Creator lookup fails with "InvalidDefinitionException" for conflict between single-double/single-Double arg constructor + "MapDeserializer" forcing "JsonMappingException" wrapping even if WRAP_EXCEPTIONS set to false + Auto-detection of constructor-based creator method skipped if there is an annotated factory-based creator method + "ObjectMapper.treeToValue" no longer invokes "JsonDeserializer.getNullValue" + DeserializationProblemHandler is not invoked when trying to deserialize String + Fix failing "double" JsonCreators in jackson 2.12.0 + Conflicting in POJOPropertiesCollector when having namingStrategy + Breaking API change in "BasicClassIntrospector" + "JsonNode.requiredAt" does NOT fail on some path expressions + Exception thrown when "Collections.synchronizedList" is serialized with type info, deserialized + Add option to resolve type from multiple existing properties, "@JsonTypeInfo" + "@JsonIgnoreProperties" does not prevent Exception Conflicting getter/setter definitions for property + Deserialization Not Working Right with Generic Types and Builders + Add "@JsonIncludeProperties" + "@JsonAnyGetter" should be allowed on a field + Allow handling of single-arg constructor as property based by default + Allow case insensitive deserialization of String value into "boolean"/"Boolean" + Allow use of "@JsonFormat" on Class + Abstract class included as part of known type ids for error message when using JsonSubTypes + Distinguish null from empty string for UUID deserialization + "ReferenceType" does not expose valid containedType + Add "CoercionConfig[s]" mechanism for configuring allowed coercions + "JsonProperty.Access.READ_ONLY" does not work with getter-as-setter "Collection"s + Support "BigInteger" and "BigDecimal" creators in "StdValueInstantiator" + "JsonProperty.Access.READ_ONLY" fails with collections when a property name is specified + "BigDecimal" precision not retained for polymorphic deserialization + Support use of "Void" valued properties + Explicitly fail serialization of "java.time.*" types in absence of registered custom serializers + Improve description included in by "DeserializationContext.handleUnexpectedToken" + Support for JDK 14 record types + "PropertyNamingStrategy" class initialization depends on its subclass, this can lead to class loading deadlock + "FAIL_ON_IGNORED_PROPERTIES" does not throw on "READONLY" properties with an explicit name + Add Gradle Module Metadata for version alignment with Gradle 6 + Allow "JsonNode" auto-convert into "ArrayNode" if duplicates found + Allow values of untyped auto-convert into "List" if duplicates found + Add "ValueInstantiator.createContextual + Support multiple names in "JsonSubType.Type" + Disabling "FAIL_ON_INVALID_SUBTYPE" breaks polymorphic deserialization of Enums + Explicitly fail serialization of "org.joda.time.*" types in absence of registered custom serializers + Trailing zeros are stripped when deserializing BigDecimal values inside a @JsonUnwrapped property + Extract getter/setter/field name mangling from "BeanUtil" into pluggable "AccessorNamingStrategy" + Throw "InvalidFormatException" instead of "MismatchedInputException" for ACCEPT_FLOAT_AS_INT coercion failures + Add "@JsonKey" annotation for customizable serialization of Map keys + "MapperFeature.ACCEPT_CASE_INSENSITIVE_ENUMS" should work for enum as keys + Add support for disabling special handling of Creator properties wrt alphabetic property ordering + Add "JsonNode.canConvertToExactIntegral" to indicate whether floating-point/BigDecimal values could be converted to integers losslessly + Improve static factory method generic type resolution logic + Allow preventing Enum from integer coercion using new "CoercionConfig" system + "@JsonValue" not considered when evaluating inclusion + Make some java platform modules optional + Add support for serializing "java.sql.Blob" + "AnnotatedCreatorCollector" should avoid processing synthetic static methods + Add errorprone static analysis profile to detect bugs at build time + Problem with implicit creator name detection for constructor detection + Add "BeanDeserializerBase.isCaseInsensitive" + Refactoring of "CollectionDeserializer" to solve CSV array handling issues + Full LICENSE included in jar for easier access by compliancy tools + Fix type resolution for static methods + "@JsonCreator" on constructor not compatible with "@JsonIdentityInfo", "PropertyGenerator" + Add debug improvements about "ClassUtil.getClassMethods" + Cannot detect creator arguments of mixins for JDK types + Add "JsonFormat.Shape" awareness for UUID serialization + Json serialization fails or a specific case that contains generics and static methods with generic parameters + "ObjectMapper.activateDefaultTypingAsProperty" is not using parameter "PolymorphicTypeValidator" + Problem deserialization raw generic fields in 2.11.2 + Fix issues with "MapLikeType.isTrueMapType", "CollectionLikeType.isTrueCollectionType" + Parser/Generator features not set when using "ObjectMapper.createParser", "createGenerator" + Polymorphic subtypes not registering on copied ObjectMapper + Failure to read AnnotatedField value in Jackson 2.11 + "TypeFactory.constructType" does not take "TypeBindings" correctly + Builder Deserialization with JsonCreator Value vs Array + JsonCreator on static method in Enum and Enum used as key in map fails randomly + "StdSubtypeResolver" is not thread safe + Conflicting setter definitions for property exception for "Map" subtype during deserialization + Fail to deserialize local Records + Rearranging of props when property-based generator is in use leads to incorrect output + Jackson doesn"t respect "CAN_OVERRIDE_ACCESS_MODIFIERS=false" for deserializer properties + "DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS" don"t support "Map" type field + JsonParser from MismatchedInputException cannot getText for floating-point value + i-I case conversion problem in Turkish locale with case-insensitive deserialization + "@JsonInject" fails on trying to find deserializer even if inject-only + Polymorphic deserialization should handle case-insensitive Type Id property name if "MapperFeature.ACCEPT_CASE_INSENSITIVE_PROPERTIES" is enabled + TreeTraversingParser and UTF8StreamJsonParser create contexts differently + Support use of "@JsonAlias" for enum values + "declaringClass" of enum-as-POJO not removed for "ObjectMapper" with a naming strategy + Fix "JavaType.isEnumType" to support sub-classes + BeanDeserializerBuilder Protected Factory Method for Extension + Support "@JsonSerialize" and "@JsonDeserialize" on Key class + Add "SerializationFeature.WRITE_SELF_REFERENCES_AS_NULL" + "ObjectMapper.registerSubtypes" doesn"t allow registering same POJO for two different type ids + "DeserializationContext.handleMissingInstantiator" throws "MismatchedInputException" for non-static inner classes + Incorrect "JsonStreamContext" for "TokenBuffer" and "TreeTraversingParser" + Add "AnnotationIntrospector.findRenameByField" to support Kotlin"s is-getter naming convention + Use "@JsonProperty" for sorting properties on serialization + Java 8 "Optional" not working with "@JsonUnwrapped" on unwrappable type + Add "MapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES" to allow blocking use of unsafe base type for polymorphic deserialization + "ObjectMapper.setSerializationInclusion" is ignored for "JsonAnyGetter" + "ValueInstantiationException" when deserializing using a builder and "UNWRAP_SINGLE_VALUE_ARRAYS" + JsonIgnoreProperties does not work on field and method level + Failure to resolve generic type parameters on serialization + JsonParser cannot getText for input stream on MismatchedInputException + ObjectReader readValue lacks ClassT argument + Change default textual serialization of "java.util.Date"/"Calendar" to include colon in timezone offset + Add "ObjectMapper.createParser" and "createGenerator" methods + Allow serialization of "Properties" with non-String values + Add new factory method for creating custom "EnumValues" to pass to "EnumDeserializer + "IllegalArgumentException" thrown for mismatched subclass deserialization + Add convenience methods for creating "List", "Map" valued "ObjectReader"s + "SerializerProvider.findContentValueSerializer" methods jackson-dataformats-binary - update from version 2.10.1 to version 2.13.0: + Should validate UTF-8 multi-byte validity for short decode path too + Deprecate "CloseSafeUTF8Writer", remove use + Make "SmileFactory" support "JsonFactory.Feature.CANONICALIZE_FIELD_NAMES" + Make "CBORFactory" support "JsonFactory.Feature.CANONICALIZE_FIELD_NAMES" + Handle case of BigDecimal with Integer.MIN_VALUE for scale gracefully + Uncaught exception in CBORParser._nextChunkedByte2 + Another uncaught exception in CBORParser._nextChunkedByte2 + Add "SmileGenerator.Feature.LENIENT_UTF_ENCODING" for lenient handling of broken Unicode surrogate pairs on writing + Add "logicalType" support for some "java.time" types; add "AvroJavaTimeModule" for native ser/deser + Support base64 strings in "getBinaryValue" for CBOR and Smile + "ArrayIndexOutOfBounds" for truncated UTF-8 name + Generate logicalType switch + "ArrayIndexOutOfBounds" for truncated UTF-8 name + "jackson-dataformat-ion" does not handle null.struct deserialization correctly + "Ion-java" dep 1.4.0 - 1.8.0 + Minor change to Ion module registration names + Uncaught exception in CBORParser._nextChunkedByte2 + Uncaught exception in CBORParser._findDecodedFromSymbols + Uncaught validation problem wrt Smile BigDecimal type + ArrayIndexOutOfBoundsException for malformed Smile header + Failed to handle case of alleged String with length of Integer.MAX_VALUE + Allocate byte[] lazily for longer Smile binary data payloads + CBORParser need to validate zero-length byte[] for BigInteger + Handle invalid chunked-binary-format length gracefully + Allocate byte[] lazily for longer Smile binary data payloads + ArrayIndexOutOfBoundsException in SmileParser._decodeShortUnicodeValue + Handle sequence of Smile header markers without recursion + CBOR loses "Map" entries with specific "long" Map key values + Ion Polymorphic deserialization in 2.12 breaks wrt use of Native Type Ids when upgrading from 2.8 + "ArrayIndexOutOfBoundsException" in "CBORParser" for invalid UTF-8 String + Handle invalid CBOR content like "[0x84]" + Respect "WRITE_ENUMS_USING_TO_STRING" in "EnumAsIonSymbolSerializer" + Add support for generating IonSexps + Add support for deserializing IonTimestamps and IonBlobs + Add "IonObjectMapper.builderForBinaryWriters" / ".builderforTextualWriters" convenience methods + Enabling pretty-printing fails Ion serialization + Allow disabling native type ids in IonMapper + Small bug in byte-alignment for long field names in Smile, symbol table reuse + Add "IonFactory.getIonSystem" accessor + Optimize "IonParser.getNumberType" using "IonReader.getIntegerSize" + Add "CBORGenerator.Feature.LENIENT_UTF_ENCODING" for lenient handling of Unicode surrogate pairs on writing + Add support for decoding unassigned simple values + Add Gradle Module Metadata + Cache record names to avoid hitting class loader + Avro null deserialization + Add "IonFactory.getIonSystem" accessor + Add "AvroGenerator.canWriteBinaryNatively" to support binary writes, fix "java.util.UUID" representation + Allow "IonObjectMapper" with class name annotation introspector to deserialize generic subtypes + Remove dependencies upon Jackson 1.X and Avro"s JacksonUtils + "jackson-databind" should not be full dependency for modules + "CBORGenerator.Feature.WRITE_MINIMAL_INTS" does not write most compact form for all integers + "AvroGenerator" overrides "getOutputContext" properly + Add "IonFactory.getIonSystem" accessor + Fix schema evolution involving maps of non-scalar + Parsing a protobuf message doesn"t properly skip unknown fields + IonObjectMapper closes the provided IonWriter unnecessarily + ion-java dependency 1.4.0 - 1.5.1