Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency com.cedarsoftware:json-io to v4.14.1 [SECURITY] #139

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update dependency com.cedarsoftware:json-io to v4.14.1 [SECURITY] #139

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Nov 8, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
com.cedarsoftware:json-io 4.9.1 -> 4.14.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-34610

An issue was discovered json-io through 4.14.0 allows attackers to cause a denial of service or other unspecified impacts via crafted object that have deeply nested structures.

Release Notes

jdereg/json-io (com.cedarsoftware:json-io)

v4.14.1

Compare Source

  • JDK 1.8 is target class file format. @​laurgarn
    • JDK 11 is source file format. @​laurgarn
    • Bug fix: EnumSet support fixed. @​laurgarn
    • Bug fix: Null boxed primitives are preserved round-trip. @​laurgarn
    • Enhancement: Filter Blacklisted Fields Before Trying to Access them to prevent exceptions thrown by Proxies (improve hibernate support) @​kpartlow
    • Bug fix: Stack overflow error caused by json-io parsing of untrusted JSON String @​PoppingSnack
    • Enhancement: Create gradle-publish.yml @​devlynnx
    • Enhancement: Added record deserialization, which implies java 16 codebase @​reuschling
    • Bug fix: Fixed TestJavaScript @​h143570
    • Enhancement: Bump gson from 2.6.2 to 2.8.9 @​dependabot
    • Enhancement: support deserialization of Collections.EmptyList on JDK17 @​ozhelezniak-talend

v4.14.0

Compare Source

  • Bug fix: Enum serialization error with Java 17 #​155. According to @​wweng-talend, if you set : "--illegal-access=deny" on jvm parameters, it works the same between jdk11 and jdk17.

v4.13.0

Compare Source

  • Enhancement: Clear unresolved references after all have been processed, as opposed to removing each one after it was processed.

v4.12.0

Compare Source

  • Bug fix: Enhancement #​137 introduced bug for negative numbers on simple values when tolerant/lenient parsing of +/- infinity was turned on.

v4.11.1

Compare Source

  • Enhancement (#​140): New option flag added FORCE_MAP_FORMAT_ARRAY_KEYS_ITEMS:true|false to allow forcing JSON output format to always write Map as @keys/@​items in the JSON (example: {"@​keys":["a", "b"], "@​values":[1, 2]}, rather than its default behavior of recognizing all String keys and writing the Map as a JSON object, example: {"a":1, "b":2}. The default value for this flag is false.

v4.11.0

Compare Source

  • Enhancement (#​137): Allow tolerant/lenient parser of +/- infinity and NaN. New API added, JsonReader.setAllowNanAndInfinity(boolean) and JsonWriter.setAllowNanAndInfinity(boolean). The default is false to match the JSON standard.
    • Enhancement (#​129): JsonReader.jsonToJava("") or JsonReader.jsonToJava(null) now returns a null, rather than throwing an exception.
    • Bug fix (#​123): Removed vulnerability by disallowing ProcessBuilder to be serialized.
    • Bug fix (#​124): Illegal Reflective Access warning when using json-io in Java 9 or newer. This was do to call isAccessible() on Java's Field class. This has been removed.
    • Bug fix (#​132, #​133): There was instance when @​i was written when it should have been @​e, indicating items, when using SHORT_META_KEYS flag.
    • Bug fix (#​135): When reading { "@​type": "char", "value": "\"" }, the value was read in as \u0000. It now reads in correctly as a double quote character.

v4.10.1

Compare Source

  • Enhancement: Made FastPushbackBufferedReader constructor public so that this stream reader can be used anywhere.

v4.10.0

Compare Source

  • Bug fix: When reading into Maps, logical primitives that are not long, double, boolean, or null, were being kept in JsonObjects instead of being converted into their respective types (int, float, Date, etc.)

v4.9.12

  • Bug fix: Line number was incorrectly being reported as column number in error output.

v4.9.11

  • Enhancement: Added nice JSON-style argument format method, typically used for logging method calls. See MetaUtils.getLogMessage().

v4.9.10

  • Bug fix: When system property file.encoding was not set to UTF-8, json-io was not correctly handling characters outside the ASCII space. @​rednoah

v4.9.9

Compare Source

  • Enhancement: Missing field handler improvements. Submitted by @​sgandon

v4.9.8

Compare Source

  • Enhancement: Missing field handler improvements. Submitted by @​sgandon

v4.9.7

Compare Source

  • Enhancement: Added JsonReader.addReaderPermanent() and JsonWriter.addWriterPermanent() to allow for a static (lifecycle of JVM) reader / writer to be added. Now, custom readers and writers can be added that only exist per-instance of JsonReader / JsonWriter or permanently, so they do not have to be added each instantiation (through args or call .addReader() or .addWriter()).

v4.9.6

Compare Source

  • Enhancement: Improved enum handling. Updated how enums are detected so that subclasses of enums are detected. ordinal and internal fields no longer output.

v4.9.5

Compare Source

  • Bug fix: The new FastPushBackBytesReader was incorrectly reading a String byte-by-byte ignoring the code point boundaries. Because of this, it would blow up during parsing Strings with characters outside the ascii range. New test case added that causes the failure. For time being, the FastPushBackBytesReader has been removed.
    • Javadoc updates.

v4.9.4

Compare Source

  • Optimization: The coercedTypes Map in the Resolver is built one time now.
    • Added test case illustrating gson cannot handle writing then reading back Maps correctly when the keys are not Strings.

v4.9.3

  • Enhancement: Double.INF and NAN are output as null.

v4.9.2

  • Optimization: When parsing from String, a different (faster) byte[] based pushback reader is used.
    • Optimization: Built-in Readers and Writers are only instantiated once for all instances of JsonReader / JsonWriter and then re-used.
    • Enhancement: Inner 'view' classes generated from .keySet() and .values() are coerced to standard mutable collection classes.
    • Optimization: Identical code consolidated to one function.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants