You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This upgrade involves a high-risk major version update for resteasy-jackson2-provider and medium-risk minor version updates for the Jackson library suite. The Resteasy upgrade requires immediate developer action and code modification.
High Risk: org.jboss.resteasy:resteasy-jackson2-provider (3.1.3.Final → 6.2.0.Final)
This is a major version upgrade that migrates from Java EE to Jakarta EE, which is a significant breaking change.
Key Breaking Changes:
Jakarta Namespace Migration: RESTEasy 6.x is built on Jakarta EE 9+ and requires the use of the jakarta.* namespace instead of the older javax.* namespace. All application code using JAX-RS APIs (e.g., @Path, @GET, Response) must be updated. [3, 45]
Example: Imports must be changed from javax.ws.rs.core.Response to jakarta.ws.rs.core.Response.
Module and API Changes: RESTEasy has undergone significant structural changes between versions 3.x and 6.x. Several modules and deprecated classes, including some async APIs and providers like resteasy-jettison-provider, were removed in version 4.x. [42, 43]
Recommendation: This is a major migration effort that will cause build and runtime failures without significant code refactoring. Developers must update all javax.ws.rs imports to jakarta.ws.rs and verify compatibility with other Jakarta EE components.
Medium Risk: Jackson Suite (2.10.1 → 2.21.2)
This upgrade spans multiple minor versions of the Jackson libraries (jackson-core, jackson-databind, etc.) and introduces important environmental and behavioral changes.
Key Breaking Changes:
Java Version Requirement: The minimum Java version has been raised. jackson-databind requires Java 8 starting from version 2.13, and jackson-core requires Java 8 from version 2.14. [7, 12]
Behavioral Changes & New Defaults:
Annotation Precedence: As of version 2.14, @JsonIgnore now takes precedence over @JsonProperty in case of conflicts, which reverses the previous behavior. [12]
Processing Limits: Version 2.15 introduced new default security limits to prevent Denial-of-Service attacks, including a maximum nesting depth of 1000. Parsing deeply nested JSON may now throw a StreamConstraintsException. [19, 35]
Date Serialization: Since 2.11, the default timezone offset in date serialization includes a colon (e.g., +00:00). [4, 13]
Recommendation: While core serialization/deserialization APIs are largely intact, the Java version requirement and subtle behavioral changes require thorough testing. Verify application behavior related to JSON parsing of deeply nested structures, date formats, and any conflicting property annotations.
Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Snyk has created this PR to fix 1 vulnerabilities in the maven dependencies of this project.
Snyk changed the following file(s):
samples/client/petstore/java/resteasy/pom.xmlVulnerabilities that will be fixed with an upgrade:
SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551
2.10.1->2.21.2com.fasterxml.jackson.core:jackson-databind:
2.10.1->2.21.2com.fasterxml.jackson.datatype:jackson-datatype-joda:
2.10.1->2.21.2com.fasterxml.jackson.datatype:jackson-datatype-jsr310:
2.10.1->2.21.2org.jboss.resteasy:resteasy-jackson2-provider:
3.1.3.Final->6.2.0.FinalMajor version upgradeNo Path FoundNo Known ExploitBreaking Change Risk
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Allocation of Resources Without Limits or Throttling