Discuss the full replacement of fastjson with fastjson v2 in Dubbo 3.1

[CrazyHZM]

The security issues of FastJson v1 continued, causing trouble for some users of Dubbo, At present, FastJson has released the v2 version and solved the security risks in the v1 version. v2: https://github.com/alibaba/fastjson2 In addition, v2 also brings performance improvements. So I propose to replace the v1 version with the v2 version in the 3.1 version. Reason for replacement in version 3.1: considering the compatibility issues of some users.

[guohao]

Dubbo has both gson and fastjson dependencies, It is better to keep only one left.

[EarthChen]

I choose Jackson, but because gson already exists in the project, I choose gson

[cheese8]

How about make an Json interface, and take fastjson, gson, jackson etc as provider implemented the interface, then user could choose it by json provider name configuration？

[CrazyHZM]

In addition, Dubbo uses JSON serialization in two places, one is the SPI extension that provides JSON serialization, and the second is the serialization on the core link, such as the JSON serialization of metadata

[cheese8]

Could I take this issue? @CrazyHZM

[CrazyHZM]

Could I take this issue? @CrazyHZM

Let's wait for more ideas.

[kimmking]

FASTJSON2 is a new implement for json format, we should test the compatiblity of it.

[AlbumenJ]

FastJson2 will support JDK17 natively, while hessian only support JDK11 and should open jdk module in JDK17 for compatible purpose. Also, Fastjson2 has a high performance gain compared to hessian. We can consider replace hessian to fastjson2 in the future.

[AlbumenJ]

I tried to adapt fastjson2 to Dubbo as the default serializer. All unit test cases pass. Integration tests fail due to package issues. Refer https://github.com/albumenj/dubbo/tree/0424_jdk_17

[TinyZzh]

gson is much better.