Migrate jackson 2.x to 3.x

[vmillet-dev]

Disclaimer

Moving to jackson 3 (and implicitly java 17) are maybe a real breaking change, I don't know the policy of maintainers about older java versions compatibilities, but well, I did this work for myself in first place, so at least you can take a look

Changes

• Bump java baseline to 17 in build.gradle + CI files (the minimum supported java version for jackson 3.x)
• Update gradle to 7.x (for java 17 support)
• Remove Java 8/11 tests because these versions are no longer supported by Jackson3.

From jackson3 migration guide (link bellow):

• Update Java package from com.fasterxml.jackson.[core/databind] -> tools.jackson.[core/databind]
• Replace removed ObjectCodec by the right implementation of ObjectReadContext/ObjectWriteContext interfaces (which are DeserializationContext and SerializationContext)
• JsonProcessingException -> JacksonException
• JsonGenerator.writeObject() -> JsonGenerator.writePOJO()
• JsonGenerator.writeFieldName() -> JsonGenerator.writeName()
• JsonNode.asText() -> JsonNode.asString()
• JsonNode.isTextual() -> JsonNode.isString()
• JsonParser.getCodec() -> JsonParser.objectReadContext()

References

• jackson3 migration guide
• Related to Upgrade Jackson 2 => Jackson 3 #730

Checklist

• I have read the Auth0 general contribution guidelines
• I have read the Auth0 Code of Conduct
• All existing and new tests complete without errors

[jmini]

This version is affected by GHSA-72hv-8253-57qq consider using 3.1.0

[vmillet-dev]

thx for reporting this, I updated to 3.1.0

[ferberts]

We also would need this upgrade because wanna fix the security issue. Sadly we depend on io.ktor:ktor-server-auth-jwt which depends on this library. So they also could not remove dependency to jackson 2 yet. Would be great to see this one merged with latest jackson 3 version!

[efsn]

May I know if there is a timeline or plan to do the release for jackson 3.x?

[tanya732]

Hi @vmillet-dev

Thanks for putting this together, we appreciate the effort.

We want to acknowledge the community demand here (and in #730 ). We understand this is a blocker for some, especially in dealing with transitive dependency conflicts and the security advisory on older Jackson 2.x versions.

This migration carries significant implications, bumping the Java baseline to 17 and introducing a breaking change for consumers. We're currently evaluating the impact internally. We're looking at usage metrics and downstream effects to make sure we land on the right approach for the broadest set of users.

We'll share the final plan once we've completed the evaluation.

Thanks for your patience.