Upgrade to Jackson 2.9.9.20190807

[snicoll]

No description provided.

[snicoll]

A number of projects are broken with this upgrade (that contains a CVE) so let's sync with Spring Data before processing this one.

[michael-simons]

FYI FasterXML/jackson-databind#2395

Not an inherent Spring Data issue, I'd say.

[snicoll]

Unfortunately the latest bom release is wrong and still refers to the previous jackson-databind. I've raised FasterXML/jackson-bom#24

[franzbecker]

There might be another problem here. As the jackson-bom now has a different version scheme if I want to configure the used BOM from the outside I need to set jackson.version to 2.9.9.20190807 so that this import in Spring works:

			<dependency>
				<groupId>com.fasterxml.jackson</groupId>
				<artifactId>jackson-bom</artifactId>
				<version>${jackson.version}</version>
				<scope>import</scope>
				<type>pom</type>
			</dependency>

See https://github.com/spring-projects/spring-boot/blob/master/spring-boot-project/spring-boot-dependencies/pom.xml#L642

But as they use the same property internally (https://github.com/FasterXML/jackson-bom/blob/jackson-bom-2.9.9.20190807/pom.xml#L29) I will get errors such as these:

Could not find com.fasterxml.jackson.core:jackson-core:2.9.9.20190807

[snicoll]

@franzbecker that's not what's happening. jackson.version must be used to import the bom and not individual modules. See for instance #12790 and other duplicates.

[franzbecker]

@snicoll yes but in order to get the latest BOM I need to set jackson.version to 2.9.9.20190807.

Maybe this makes it more clear: https://github.com/franzbecker/spring-bom-problem/blob/master/build.gradle

In the issue you mentioned your colleague notes that (#12790 (comment))

As far as I know, properties in an imported bom (which is what the Jackson bom is in this case) cannot be overridden.

But to my understanding this is okay to do and documented here: https://docs.spring.io/dependency-management-plugin/docs/current/reference/html/#dependency-management-configuration-bom-import-override-property

[snicoll]

@franzbecker thanks. This looks new and a gradle specific problem as far as I can see. I don't know if the problem is here or in Jackson really. Can you please create a separate issue?

[franzbecker]

I think the underlying problem is, as mentioned in the issue you linked, that the properties have the same name and this was fine in Maven as there were certain limitation so that you could not override the property - at least in the XML. Technically you can override the property by setting the property from the outside, e.g. mvn help:effective-pom -Djackson.version=2.9.9.20190807 yields the same problem. But I doubt that's something people do.

[lonre]

@snicoll yes but in order to get the latest BOM I need to set jackson.version to 2.9.9.20190807.

Maybe this makes it more clear: https://github.com/franzbecker/spring-bom-problem/blob/master/build.gradle

In the issue you mentioned your colleague notes that (#12790 (comment))

As far as I know, properties in an imported bom (which is what the Jackson bom is in this case) cannot be overridden.

But to my understanding this is okay to do and documented here: https://docs.spring.io/dependency-management-plugin/docs/current/reference/html/#dependency-management-configuration-bom-import-override-property

we have the same issue using gradle

[franzbecker]

@snicoll thanks for the feedback - I created #17808
@lonre maybe you want to comment there as well