[Snyk] Fix for 1 vulnerabilities

[snyk-io]

Snyk has created this PR to fix 1 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

• samples/client/petstore/java/retrofit2-play25/pom.xml

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score	Upgrade
	Allocation of Resources Without Limits or Throttling SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551	125	com.fasterxml.jackson.core:jackson-core: 2.10.1 -> 2.21.2 com.fasterxml.jackson.core:jackson-databind: 2.10.1 -> 2.21.2 com.fasterxml.jackson.datatype:jackson-datatype-jsr310: 2.10.1 -> 2.21.2 No Path Found No Known Exploit

Breaking Change Risk

Notice: This assessment is enhanced by AI.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Allocation of Resources Without Limits or Throttling

[snyk-io]

This upgrade of the Jackson library from version 2.10.1 to 2.21.2 spans multiple minor versions and introduces significant changes, including a Java version requirement update and several behavioral modifications that require verification.

Key Changes and Potential Impacts:

• Java 8+ Required: Starting with version 2.14, jackson-core and jackson-databind require Java 8 as the minimum runtime version. Projects running on Java 7 will need to upgrade their JDK environment.

• Behavioral and API Changes:

  • Processing Limits (v2.15): New default limits have been introduced for maximum string length, number length, and document nesting depth to mitigate DoS vulnerabilities. Applications processing very large or deeply nested JSON documents may encounter StreamConstraintsException and require configuration adjustments.
  • @JsonIgnore Precedence (v2.14): The handling of conflicting @JsonIgnore and @JsonProperty annotations has changed. @JsonIgnore is now given precedence, which could alter serialization output in classes with complex inheritance or mixed annotations.
  • Java Record Deserialization (v2.15): The mechanism for deserializing Java Records was modified, which led to regressions for some use cases. While fixes were issued in patch releases, this area requires testing if you use Records.
  • Date/Time Serialization (v2.11 & v2.16): The default format for java.util.Date timezone offsets was changed in v2.11 to include a colon (+00:00). Additionally, a breaking API change was introduced in InstantDeserializer in v2.16, which was subsequently fixed in a patch release.

• Module and Dependency Changes:

  • Jakarta Namespace: Version 2.13 introduced new module artifacts with the jakarta namespace to support projects migrating from javax to jakarta APIs.

Recommendation:

Given the Java 8 baseline requirement and the multiple behavioral changes, this upgrade carries a medium risk. It is critical to:

1. Ensure your project is running on Java 8 or a later version.
2. Thoroughly test JSON serialization and deserialization, paying close attention to error handling for large inputs, the use of Java Records, and objects with @JsonIgnore annotations.

Source: Jackson project release notes on GitHub.

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.