Jackson dependencies issue #2789
Comments
|
I'm wondering if we should include the Having mixed Jackson dependencies will cause a lot of problems. @aloubyansky we discussed a bit the cost of adding new BOMs, I think this one is worth it considering how popular Jackson is, how incompatible versions are and how many security issues there are with Jackson. |
|
We already import Jackson BOM. |
|
Ah yes, right. So how come we can have 2.9.8 Jackson dependencies? |
|
Something is not right with quarkus-bom it seems. |
|
Does importing quarkus-bom in the extension fix it for you @loicmathieu ? |
|
See my last comment on the PR #2791 that try to summerize it ... unfortunatly it didn't fix the issue so my PR is the best that I can find to fix it (or a derivative version that I explain in it) ... I know it's ugly ... |
|
Ok, I read your PR comments. Thanks. |
|
Hold on though. I want to try something. |
|
The order of importing BOMs is significant. It appears that the reaseasy-bom includes jackson artifacts and is imported before the jackson-bom. If you import the jackson-bom first, you'll get the expected jackson versions all over. |
|
@aloubyansky I miss this one! Did I change my PR or do you want to create one yourself ? |
|
Yes, first BOM to define a dependency wins |
|
Could you please adjust your PR to do that @loicmathieu? Thanks a lot for reporting the issue. |
|
OK, I'll update my PR |
The oder of import in the bom is important, we need to import Jackson first before RESTEasy. After this, exluding and importing Jackson in the quarkus-smallrye-openapi extention is useless.
The oder of import in the bom is important, we need to import Jackson first before RESTEasy. After this, exluding and importing Jackson in the quarkus-smallrye-openapi extention is useless.
The oder of import in the bom is important, we need to import Jackson first before RESTEasy. After this, exluding and importing Jackson in the quarkus-smallrye-openapi extention is useless.
The oder of import in the bom is important, we need to import Jackson first before RESTEasy. After this, exluding and importing Jackson in the quarkus-smallrye-openapi extention is useless.
root path docs fix imports fix poms and typos doc suggestions Add mp rest-client tck configuration Introduce handling for mp/uri in accordance to spec Fixes: quarkusio#2795 Remove misleading sentence from Kubernetes / ap4k guide The guide will updated when dekorateio/dekorate#227 is implemented and the new version included into Quarkus Implement mock mailer by default on dev/test fix(quarkusio#2789): fix Jackson version issue The oder of import in the bom is important, we need to import Jackson first before RESTEasy. After this, exluding and importing Jackson in the quarkus-smallrye-openapi extention is useless. Arc - correct circular dependency check to detect self-injection as well, added test. feat(openapi): Allows OpenAPI path to contain segments e.g /api/openapi/ Fixes quarkusio#2756 Arc - Implement inheritance of scopes for beans. register reflective classes from bean archive index by providing the index as part of the reflective class build item Document InjectionPointTransformer. Arc - register certain CDI components under BuildContext so extensions can use that. Modify SpringDIProcessor to make use of this. Subclasses/client proxies - skip delegation if not constructed yet - resolves quarkusio#2774 Docs - CDI guide - remove unnecessary dummy constructor feat(agroal): Adds a configuration option to enable datasource metrics Fixes quarkusio#2820 Quarkus bypasses Nexus and downloads artefacts directly from maven central Fix title levels in Undertow reference guide Remove two ArC injection warnings Update to smallrye-jwt-1.1 Moved common stuff to panache-common-deployment, ported `@GenerateBridge` to non-rx panache Added two finals Skip racey TCK test This is due to eclipse/microprofile-rest-client#203 Undertow 2.0.21.Final Better error reporting if test resource fails to start Remove license headers
Describe the bug
Jackson dependency is 2.9.9 in the Quarkus bom but some dependency issue exist linked to smallrye-openapi that downgrade the dependency version to 2.9.8.
Unfortunatly there is an existing CVE on the 2.9.8 so it's important to have the 2.9.9 version.
Moreover, there is a mix of the two versions for different Jackson modules.
Expected behavior
All Jackson libraries should be of the 2.9.9 version.
Actual behavior
Making a dependency tree shows some Jackson libraries on version 2.9.8 despite the Quarkus bom references the 2.9.9 only:
The wrong version comes from transitive dependency issues from sallrye-openapi
To Reproduce
Steps to reproduce the behavior:
mvn dependency:treeon the quarkus-smallrye-openapi extentionEnvironment (please complete the following information):
Additional context
I have a PR ready to fix the dependency issue on the quarkus-smallrye-openapi dependency.
The text was updated successfully, but these errors were encountered: