As many of you know, there have been a few security fixes (for CVEs reported for "default typing" style of polymorphic deserialization). If not familiar with this, please read:
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 Now: maintaining multiple older branches is a significant overhead, and I need to balance this against benefits to community on having security patches for older versions. At this point 2.9 is actively patched (but 2.10 branch started); those will be maintained. But I have spent time to backport CVE fixes to 2.8 and even 2.7. Other contributors have further backported fixes to 2.6. My specific question is this: are there projects out there that actually use latest 2.7 micro-patches? Or that would want to? If you do maintain a project that has Jackson 2.7.x dependency, I would like to hear from you, since I am contemplating on doing just one more FULL release -- 2.7.10 -- which would include all fixes from micro-patches, and give convenient full version set. But I don't want to spend couple of hours needed if this is not something useful. [note: As per http://mvnrepository.com, there are couple dozen projects that depend on 2.7.9.x micro-patches, so I think there is some usage] - +Tatu +- -- You received this message because you are subscribed to the Google Groups "jackson-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to jackson-user+unsubscr...@googlegroups.com. To post to this group, send email to jackson-user@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
