This is an automated email from the ASF dual-hosted git repository.
rmannibucau pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/johnzon.git
The following commit(s) were added to refs/heads/master by this push:
new 5eb2c7ff [doc] a word on BigDecimal/BigInteger
5eb2c7ff is described below
commit 5eb2c7ff643700a8ba77dbe9c29d6500f54031ef
Author: Romain Manni-Bucau <rmannibu...@gmail.com>
AuthorDate: Tue Jul 25 12:19:55 2023 +0200
[doc] a word on BigDecimal/BigInteger
---
src/site/markdown/security.md | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/src/site/markdown/security.md b/src/site/markdown/security.md
index f072a33b..0b554bb0 100644
--- a/src/site/markdown/security.md
+++ b/src/site/markdown/security.md
@@ -37,3 +37,13 @@ If you need to report a bug that isn't an undisclosed
security vulnerability, pl
should be addressed to the [mailing
list](http://johnzon.apache.org/mail-lists.html).
The private security mailing address is: security (at) apache (dot) org
+
+## BigInteger and Java
+
+JSON-P/JSON-B exposes API using `BigDecimal` and `BigInteger`.
+The bridge between these two types is `BigDecimal#toBigInteger` which has a
slow implementation in Java without careness or scale max validation.
+
+Johnzon does some sanity checks on this value but at some point we recommend
you to stay away from these API and handle big numbers using `String` type and
parse them yourself since you are the only ones knowing the correct functional
and relevant validation of the scale before a instantiation.
+
+If you know you don't need such big types, prefer using plain primitives (or
wrappers).
+
