play-json icon indicating copy to clipboard operation
play-json copied to clipboard
verified publisher icon playframework

support jackson 2.19

Open pjfanning opened this issue 1 year ago • 2 comments

Pull Request Checklist

  • [ ] Have you read through the contributor guidelines?
  • [ ] Have you squashed your commits?
  • [ ] Have you added copyright headers to new files?
  • [ ] Have you updated the documentation?
  • [ ] Have you added tests for any changed functionality?

Fixes

Fixes #xxxx

Purpose

Relates to #1055 There are issues with tests in playframework where some tests deliberately have deeply nested JSON. Jackson now defaults to a limit of 1000. I would like to support overriding more of the StreamReadConstraints settings in Jackson but this is a start.

What does this PR do?

Background Context

Why did you take this approach?

References

Are there any relevant issues / PRs / mailing lists discussions?

pjfanning avatar Sep 05 '24 00:09 pjfanning

@mkurz does this look like a way forward for supporting Jackson 2.15 and above?

One extra change that I would like to make would be to change the visibility of the JacksonJson class to be scoped to [play] as opposed to just the [jackson] package - because 2 playframework tests need to be able to override the nesting depth limit.

pjfanning avatar Sep 05 '24 01:09 pjfanning

Anything I can do to help get this merged?

tmccombs avatar May 22 '25 16:05 tmccombs

Hi, I am wondering whether we have any update on this? There is CVE-2025-52999 affecting the latest version of Play JSON and is any assistance (e.g. testing) required to get this over the line? Thanks

RFSurdsmanAtlassian avatar Jul 04 '25 00:07 RFSurdsmanAtlassian

I published my own fork a while ago because this and another couple of PRs that I created are awaiting review - https://github.com/pjfanning/play-json.

pjfanning avatar Jul 04 '25 00:07 pjfanning

One extra change that I would like to make would be to change the visibility of the JacksonJson class to be scoped to [play] as opposed to just the [jackson] package - because 2 playframework tests need to be able to override the nesting depth limit.

Is this still needed?

mkurz avatar Jul 09 '25 23:07 mkurz

One extra change that I would like to make would be to change the visibility of the JacksonJson class to be scoped to [play] as opposed to just the [jackson] package - because 2 playframework tests need to be able to override the nesting depth limit.

Is this still needed?

I can't recall at this stage. Maybe if you publish a snapshot of play-json, I could modify https://github.com/playframework/playframework/pull/12662 to use the snapshot jar and see what tests are still broken.

pjfanning avatar Jul 09 '25 23:07 pjfanning

Maybe if you publish a snapshot of play-json, I could modify playframework/playframework#12662 to use the snapshot jar and see what tests are still broken.

3.1.0-M2 on its way: https://github.com/playframework/play-json/actions/runs/16182146711/job/45680878429 I am off to bed now ;) Thanks!

mkurz avatar Jul 09 '25 23:07 mkurz