[Snyk] Upgrade com.fasterxml.jackson.core:jackson-core from 2.6.5 to 2.21.4

[drmikebio]

Snyk has created this PR to upgrade com.fasterxml.jackson.core:jackson-core from 2.6.5 to 2.21.4.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 128 versions ahead of your current version.

• The recommended version was released a month ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Stack-based Buffer Overflow SNYK-JAVA-COMFASTERXMLJACKSONCORE-10500754	300	No Known Exploit
	Allocation of Resources Without Limits or Throttling SNYK-JAVA-COMFASTERXMLJACKSONCORE-15365924	300	Proof of Concept
	Denial of Service (DoS) SNYK-JAVA-COMFASTERXMLJACKSONCORE-7569538	300	No Known Exploit
	Information Exposure SNYK-JAVA-COMFASTERXMLJACKSONCORE-10332631	300	Proof of Concept
	Denial of Service (DoS) SNYK-JAVA-COMFASTERXMLJACKSONCORE-31519	300	No Known Exploit
	Denial of Service (DoS) SNYK-JAVA-COMFASTERXMLJACKSONCORE-31520	300	No Known Exploit

Breaking Change Risk

Notice: This assessment is enhanced by AI.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[drmikebio]

This upgrade of jackson-core from version 2.6.5 to 2.21.4 spans a large number of minor releases and introduces several important changes that require verification.

Key Breaking Changes:

• Java Version Requirement: The minimum Java version has been increased. Version 2.14 and later of jackson-core require Java 8, up from Java 6 in earlier versions. Applications running on older JDKs must be upgraded.

• Default Processing Limits: To mitigate denial-of-service (DoS) vulnerabilities, newer versions introduce default limits on the input being processed. Applications handling large or deeply nested JSON may be affected:

  • Maximum Nesting Depth: A default limit of 1000 for nested objects and arrays was introduced in version 2.14.
  • Maximum Number/String Length: Version 2.15 added limits on the maximum length of numeric (1000 characters) and string values (initially 5M, later 20M characters).
  • These limits are configurable via the StreamReadConstraints class on the JsonFactory.

• Behavioral Changes: Several subtle changes to default behavior may impact specific use cases:

  • In version 2.13, deserializing to Arrays.asList() now results in an immutable list.
  • In version 2.14, if a property has both @JsonIgnore and @JsonProperty annotations, @JsonIgnore now takes precedence.
  • In version 2.17, string values with leading zeros (e.g., "07") are no longer automatically converted to numbers.

Recommendation:

Given the wide version span, developers should:

1. Ensure their environment uses Java 8 or newer.
2. Test applications that parse large or complex JSON documents to see if they are affected by the new default processing limits. If necessary, configure StreamReadConstraints to adjust the limits.
3. Review the release notes for versions between 2.7 and 2.21 for other minor changes that might affect their specific usage.

Source: Jackson Release Notes

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.