Jongo 1.4.0 Release plans

[Nick Ebbitt]

Hello,

Just a quick question re: release of Jongo 1.4.0.

Do you have any plans around when 1.4.0 may be released?

A bit of context - we are using Dropwizard 1.3.0 as well as Jongo 1.3.0. Dropwizard requires Jackson 2.9.x and Jongo requires Jackson 2.7.x so we have a compatibility issue that is difficult to work around.

We've tested against the HEAD of Jongo i.e. 1.4.0-early and so far so good. We'd obviously prefer to depend on a stable release of Jongo rather than manage a fork.

What are the current blockers, if any, and is there any way we could help progress to a stable 1.4.0 release?

Thanks

Nick

[Benoît Guérout]

Hello,

1.4.0 should expose a new API to deal with "new" mongo java driver API. 

This is mostly done since more than a year (may be two) but it's very hard for me to find time to finish what have been done.

So instead of waiting for 1.4.0 and because bson4jackson 2.7.x is compatible with Jackson to 2.9.x, we can release quickly Jongo 1.3.1.

As a second step, we can release later Jongo 1.3.2 with bson4jackson 2.9.x support.

BTW, is your message related to https://github.com/bguerout/jongo/issues/327 ?

--
You received this message because you are subscribed to the Google Groups "Jongo" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jongo-user+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Nick Ebbitt]

Hi Benoît,

Thanks for getting back to me.

I hadn’t seen the issue you linked to but yes we have similar motives. The reason for our dropwizard upgrade is related to removing vulnerabilities, one of these being Jackson.

I have a fix for 1.3.0 that simply fixes the use of the deprecated API for AnnotatedMember#fixAccess to its replacement in https://github.com/bguerout/jongo/blob/b37cac6e38ff748791a063a99e625d1d954d9692/src/main/java/org/jongo/marshall/jackson/JacksonObjectIdUpdater.java#L48.

While this doesn’t resolve the vulnerability issues, it does mean that we can simply exclude the transitive Jackson dependency as Jongo looks to play nicely with 2.9.3. I’m happy to create a PR with this change if it sounds useful?

Of course the alternative, and preferable option, would be to upgrade all Jackson libraries to 2.9.3. I could take a look at this if you like unless it's already in hand.

Thanks

Nick

You received this message because you are subscribed to a topic in the Google Groups "Jongo" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jongo-user/W6kg6XofYzE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jongo-user+...@googlegroups.com.

[Benoît Guérout]

If think this fix has already been merged into master (https://github.com/bguerout/jongo/pull/312). Is it the same fix ? 

If it's the case you can make a backport (cherry-pick ?).

I've just pushed a new branch, named releases/1.3.x, to hold hotfixes for this version. You can base your pull request on it.

My first thought was to upgrade Jackson into a 1.3.1 but I have checked semver rules and this is considerate as a major modification so it is better to include it into 1.4.0.

According to the active issues on Github, the new API can be delay into a 1.5.0 version and 1.4.0 focused on Jackson and Bson4jackson 2.9.x upgrade.

To unsubscribe from this group and all its topics, send an email to jongo-user+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Nick Ebbitt]

Yes that’s the same fix :)

That’s great, yes I’ll cherry-pick the commit and submit a PR.

Good shout re: making 1.3.1 a bug fix release, agreed that the Jackson upgrade warrants a minor version bump. The Jackson upgrade for 1.4.0 also makes sense and we’d be sure to take that when its ready. As mentioned previously, if there’s anyway I can help move this forward let me know.

Thanks

Nick

To unsubscribe from this group and all its topics, send an email to jongo-user+...@googlegroups.com.