Should we use jackson_databind 2.1.10 or 2.10

[Ron Karim (Oracle Corp.)]

Due to security reports, we have to replace the jackson 2.9.9.3 at the corporate level.

Should we go for the versino jackson_databind  2.10 or the 2.9.10 ? Not sure if 2.10 is stable enough. We want to be careful as a lot of products and users utilize this library, we want to use the latest due to the security issue reported to the older version but stability is critical.

Thanks.

[Tatu Saloranta]

2.10.0 is the latest minor version considered stable (unlike
pre-release 2.10.0.pr1 / 2 / 3) and not considered experimental.
But being new minor version there are sometimes small issues from
previous minor version so something corporations may want to wait for
the first patch: 2.10.1 should be released within next 2 weeks or so.

So unless it absolutely has to be done right now, I would considering
going to 2.10.1 when it gets released (but starting testing now with
2.10.0). In the meantime there is 2.9.10 full set with 2.9.10.1
jackson-databind that is trivial update riskwise.

Now: the really big thing about 2.10.0 -- and the reason why I think
you should start planning for upgrade -- is that the whole class of
vulnerabilities (CVEs) will not be applicable to it any more, unlike
for 2.9 and earlier. See:

https://blog.sonatype.com/jackson-databind-the-end-of-the-blacklist

I hope this helps,

-+ Tatu +-

>
> Thanks.
>
> --
> You received this message because you are subscribed to the Google Groups "jackson-user" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to jackson-user...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/379fd411-34b3-472a-a156-0f436f0e5188%40googlegroups.com.