jrudolph
commented
1 year ago Actually, Jackson is a huge problem, since it leads to all kinds of compatibility problems in downstream projects.
https://github.com/apache/incubator-pekko-projection/pull/19 shows a problem where we probably cannot release a 1.0.0 of pekko-projection without upgrading Jackson everywhere (i.e. we can release it but it won't work with pekko-persistence-cassandra which might be one of the main combination that people are using). The reason is that the last OS version of akka-projection is built against an old version of alpakka-cassandra (2.0.1) that we don't intend to support (pekko-connectors is based on alpakka 3).
IMO we should under no circumstances stay on Jackson 2.11 which is not supported any more and has all kinds of published security issues that will be immediately flagged for users. The question would still be which version to use instead (2.12, 2.13, or 2.14). This is hard to find out because so many potential combinations of subprojects need to be considered. Given the history of problems with Jackson, I would recommend going to the latest version (2.14) because that will hold up for the longest time.
Updating the version here will mean that we might pull up Jackson for our users. I consider that a much smaller problem (since there will be all kinds of challenges users might have while updating to Pekko) than staying on the old and broken version.
pjfanning
mdedetrich
There is a performance issue for Java users when using jackson-module-scala v2.13.x. Not too many users have reported issues but it might be best to update any v2.13 dependency to v2.14.1 (or newer version). We can keep the v2.11.4 dependency for Scala 2.x. We can upgrade to jackson v2.14.x for all Scala versions after Pekko's initial release.
https://github.com/FasterXML/jackson-module-scala/issues/576