microsoft-authentication-library-for-java icon indicating copy to clipboard operation
microsoft-authentication-library-for-java copied to clipboard

Published 20 hours ago verified publisher icon AzureAD

Consider dropping Jackson-databind dependency

Open JonathanGiles opened this issue 4 years ago • 11 comments

Jackson-databind is a frequent source of CVEs and diamond-dependency issues for users of our libraries. It is something I am actively trying to get removed from as many libraries that Microsoft ships as possible (in particular, in the Azure SDK for Java). Rather than use the jackson-databind functionality, there are often lower-level alternatives that can be used that remove the need for this dependency.

If this is something you are willing to consider, I am happy to work with you to attempt removing this dependency in msal4j.

JonathanGiles avatar Oct 04 '21 21:10 JonathanGiles

/cc @scottaddie

joshfree avatar Nov 10 '21 22:11 joshfree

@JonathanGiles : do you have a recommendation for msal4j on the best path to removing this dependency? Alternatives? What will work well with Azure SDK's?

henrik-me avatar Nov 16 '21 01:11 henrik-me

cc: @Om83

henrik-me avatar Nov 16 '21 01:11 henrik-me

yes, lets sync in Teams about what we should do here. It depends on the extent of use and whether Jackson Databind is overkill for the requirements you have.

JonathanGiles avatar Nov 16 '21 01:11 JonathanGiles

@Avery-Dunn ^^ CC: @Om83

henrik-me avatar Nov 16 '21 04:11 henrik-me

I'd love to get an update on this - dropping databind would be a huge win, and would enable the azure-sdk-for-java to more actively drop the dependency entirely from our dependency tree. I am happy to help transition away from databind, if necessary. Thanks!

JonathanGiles avatar Nov 29 '21 22:11 JonathanGiles

@JonathanGiles : do you have a recommendation for msal4j on the best path to removing this dependency? Alternatives? What will work well with Azure SDK's?

@henrik-me happy to help with this. The general approach is to use JacksonParser and JacksonGenerator directly from jackson-core package. If MSAL only works with a few well-known models, it should be straight-forward. example in Azure SDK (just avoid using base type JsonSerializer as it's defined in databind).

If you need any help on this, LMK

lmolkova avatar Nov 29 '21 22:11 lmolkova

I spoke to @Avery-Dunn about this work a few weeks ago. Avery was going to follow up with @Om83 to prioritize. @Avery-Dunn Are there any updates to provide?

scottaddie avatar Nov 30 '21 18:11 scottaddie

Hey @scottaddie : Sorry for the delay. I plan on getting these dependency changes made sometime this week, and while I don't have an ETA this is something that will definitely be going into our next release.

@lmolkova : Thanks for the suggestions!

Avery-Dunn avatar Nov 30 '21 20:11 Avery-Dunn

@siddhijain @Avery-Dunn - can you please update the issue with what was decided in terms of replacement and a decision to replace or not ?

bgavrilMS avatar May 01 '23 13:05 bgavrilMS

The decision was to replace it with an in-house common library. I believe @Alanzimmer from the Azure Identity team was working on creating a common library that can be utilized to remove this dependency. I will check with him on where they are with this and plan the work accordingly.

siddhijain avatar May 01 '23 15:05 siddhijain