Yes, this keeps coming up and as JB said I don't see a problem with Jackson, it can be updated for CVEs and works very well and is quite feature rich in case we need it.
If we are going to do any JSON serialization I don't want to re-invent the wheel and create our own serializer, so we should at least use an existing library, even if we make it pluggable like JSON-B. There's alternatives too like Gson if we wanted something smaller/lightweight. On Tue, May 16, 2023 at 3:11 PM Jean-Baptiste Onofré <j...@nanthrax.net> wrote: > Hi, > > We discussed this already in the past. IMHO, we can replace jackson by > just sax (no need to use JSON-B regarding our usage). > > That sasid, I don't see any huge issue with Jackson: it works fine and > we keep the versions up to date to fix CVE. > > The only interesting move would be to use SAX parsing directly instead > of a mapper. > > Regards > JB > > On Tue, May 16, 2023 at 12:17 PM Jean-Louis Monteiro > <jlmonte...@tomitribe.com> wrote: > > > > Hi all, > > > > Jackson seems to be frequently affected by CVEs and it's really a pain > for > > users. > > > > Looks like Jackson is only used in the WebConsole to read/write a few > > attributes. I'm sure we can get rid of it and either use a standard API > so > > one can plugin any implementation, or just write down a utility class to > > parse the small attribute we have to. > > > > thoughts? > > > > I'm happy to do a PR to remove it if that's the consensus. > > > > -- > > Jean-Louis Monteiro > > http://twitter.com/jlouismonteiro > > http://www.tomitribe.com >
