Jackson Version 2.9 was released on July 30th 2017.

There is a longer blog entry on major features, above and beyond information here.

Branch is not open for general releases and 2.9.10 was the last full patch release. Multiple micro-patch versions have been released (see below), but with release of 2.9.10.8 on January 6, 2021, the branch is now officially closed and no releases of any kind are planned.

Beyond initial 2.9.0 (described here), following patch versions were released:

• 2.9.1 (07-Sep-2017)
• 2.9.2 (14-Oct-2017)
• 2.9.3 (09-Dec-2017)
• 2.9.4 (24-Jan-2018)
• 2.9.5 (26-Mar-2018)
• 2.9.6 (12-Jun-2018)
• 2.9.7 (19-Sep-2018)
• 2.9.8 (15-Dec-2018)
• 2.9.9 (16-May-2019)
• 2.9.10 (21-Sep-2019) -- see notes below on micro-patches

Following micro-patches have been or will be released:

• jackson-databind 2.9.9.1 (03-Jul-2019)
  • #2334: Block one more gadget type (CVE-2019-12384)
  • #2341: Block one more gadget type (CVE-2019-12814)
  • #2375: ObjectMapper. getRegisteredModuleIds() throws NPE if no modules registered
• jackson-databind 2.9.9.2 (27-Jul-2019) -- with jackson-bom version 2.9.9.20190727
  • #2331: JsonMappingException through nested getter with generic wildcard return type
  • #2387: Block one more gadget type (CVE-2019-14379)
  • #2389: Block one more gadget type (CVE-2019-14439)
• jackson-databind 2.9.9.3 (06-Aug-2019) -- with jackson-bom version 2.9.9.20190807
  • #2395: NullPointerException from ResolvedRecursiveType (regression due to fix for #2331)
• jackson-databind 2.9.10.1 (20-Oct-2019) -- with jackson-bom version 2.9.10.20191020
  • #2478: Block two more gadget types (commons-dbcp, p6spy, CVE-2019-16942 / CVE-2019-16943)
  • #2498: Block one more gadget type (log4j-extras/1.2, CVE-2019-17531)
• jackson-databind 2.9.10.2 (03-Jan-2020)
  • #2526: Block two more gadget types (ehcache/JNDI -CVE-2019-20330)
  • #2544: java.lang.NoClassDefFoundError Thrown for compact profile1
• jackson-databind 2.9.10.3 (23-Feb-2020) -- with jackson-bom version 2.9.10.20200223
  • #2620: Block one more gadget type (xbean-reflect/JNDI - CVE-2020-8840)
• jackson-databind 2.9.10.4 (11-Apr-2020) -- with jackson-bom version 2.9.10.20200411
  • #2631: Block one more gadget type (shaded-hikari-config, CVE-2020-9546)
  • #2634: Block two more gadget types (ibatis-sqlmap, anteros-core; CVE-2020-9547 / CVE-2020-9548)
  • #2642: Block one more gadget type (javax.swing, CVE-2020-10969)
  • #2648: Block one more gadget type (shiro-core)
  • #2653: Block one more gadget type (shiro-core)
  • #2658: Block one more gadget type (ignite-jta, CVE-2020-10650)
  • #2659: Block one more gadget type (aries.transaction.jms, CVE-2020-10672)
  • #2660: Block one more gadget type (com.caucho:quercus, CVE-2020-10673)
  • #2662: Block one more gadget type (bus-proxy, CVE-2020-10968)
  • #2664: Block one more gadget type (activemq-jms, CVE-2020-11111)
  • #2666: Block one more gadget type (apache/commons-proxy, CVE-2020-11112)
  • #2670: Block one more gadget type (openjpa, CVE-2020-11113)
  • #2680: Block one more gadget type (spring-jpa, CVE-2020-11619)
  • #2682: Block one more gadget type (commons-jelly, CVE-2020-11620)
• jackson-databind 2.9.10.5 (21-Jun-2020) -- with jackson-bom version 2.9.10.20200621
  • #2688: Block one more gadget type (apache-drill, CVE-2020-14060)
  • #2698: Block one more gadget type (weblogic/oracle-aqjms, CVE-2020-14061)
  • #2704: Block one more gadget type (jaxp-ri, CVE-2020-14062)
  • #2765: Block one more gadget type (org.jsecurity, CVE-2020-14195)
• jackson-databind 2.9.10.6 (24-Aug-2020) -- with jackson-bom version 2.9.10.20200824
  • #2798: Block one more gadget type (com.pastdev.httpcomponents, CVE-2020-24750
  • #2814: Block one more gadget type (Anteros-DBCP, CVE-2020-24616)
  • #2826: Block one more gadget type (com.nqadmin.rowset)
  • #2827: Block one more gadget type (org.arrahtec:profiler-core)
• jackson-databind 2.9.10.7 (02-Dec-2020) -- with jackson-bom version 2.9.10.20201202
  • #2589: DOMDeserializer: setExpandEntityReferences(false) may not prevent external entity expansion in all cases (CVE-2020-25649)
  • #2854: Block one more gadget type (javax.swing, CVE-2021-20190)
• jackson-databind 2.9.10.8 (06-Jan-2021) -- with jackson-bom version 2.9.10.20210106
  • #2986: Block 2 more gadget types (commons-dbcp2, CVE-2020-35490/CVE-2020-35491)
  • #2996: Block 2 more gadget types (newrelic-agent, CVE-2020-36188/CVE-2020-36189)
  • #2997: Block 2 more gadget types (tomcat/naming-factory-dbcp, CVE-2020-36186/CVE-2020-36187)
  • #2998: Block 2 more gadget types (org.apache.tomcat/tomcat-dbcp, CVE-2020-36184/CVE-2020-36185)
  • #2999: Block 1 more gadget type (org.glassfish.web/javax.servlet.jsp.jstl, CVE-2020-35728)
  • #3003: Block one more gadget type (org.docx4j.org.apache:xalan-interpretive, CVE-2020-36183)
  • #3004: Block some more DBCP-related potential gadget classes (CVE-2020-36179 - CVE-2020-36182)

---

No changes from 2.8: Java 7 features available for all modules (meaning, need to compile on Java 7), JDK/JVM 7 is the baseline, except:

• jackson-annotations, jackson-core (streaming) and jackson-jr still only require JDK/JVM 6
• Java 8 modules, Kotlin, Scala module require JDK/JVM 8

Other modules could theoretically run on Java 6 with reduced features (i.e. avoid loading Java 7 types), but have compiled compiled with -target 1.7 setting so bytecode unfortunately requires JDK 7. It should be possible to post-process jars, however, to produce JDK 6 - compatible jars.

No changes: similar to Jackson 2.8 minimum is Android 4.4, API-level 19 (see this dashboard for example).

Note that version 2.7 will work with older Android versions; and there are some reports that even 2.8 may actually work (even if not specified to).

First official version of jackson-dataformat-ion (under jackson-dataformats-binary repo) supports Amazon Ion binary data format.

As per databind#219 java.sql.Date will finally use same "timestamp-or-String" determination as java.util.Date and java.util.Calendar. This means that with vanilla, unchanged settings, values will be serialized as numeric timestamps. Note that the default String serialization will still default to java.sql.Date.String(), and not to default formatting java.util.Date uses.

1. Add separate exception type for "pojo configuration problem" (InvalidDefinitionException), distinct from "json input" problem (MismatchedInputException); in general to distinguish between bad configuration (server-side issue) and bad data (client issue) #1356
2. Per-property custom serialization inclusion (@JsonInclude(value=Include.CUSTOM, valueFilter=MyExcluder.class) #888
3. Per-property overwrite-vs-merge annotation/handling, to allow for merging of configuration information (for example) #1399
   • note: on-going work to increase coverage; most types should work
4. Ability to override handling of null for deserialization #1402
5. Aliases, to allow migration: alternate property id names to accept (but not write) #1029
6. Non-blocking JSON/Smile parser #57
7. DeserializationFeature to automatically verify that value bound is full value and there is no trailing junk in input ("whole value verification") #1583

From original "big items" list, a few were left out:

1. Ability to force "inject-only" variant of @JacksonInject #1381 -- also solves a few related issues wrt un-deserializable injectable values (which are common)
2. Allow pre-defining Object Ids; pluggable Object Id converters? #693
3. Rewrite of property/creator introspection code, to resolve most open issues wrt Creator auto-detection and name-detection
   • NOTE: partial rewrite occurred for 2.12
4. A way to force a supertype as type id to use during serialization: this is needed to avoid deserialization problems for things like concrete Hibernate collection type. #789
5. Protobuf: Schema building by hand
6. "Safe" ObjectReader, ObjectWriter; that is, ones that does NOT throw checked exceptions (wrap IOExceptions), to work better with Java 8 Streams #779
   • NOTE: decided against this approach -- instead, Jackson 3.0 will change JsonProcessingException to be unchecked, to prevent need for "safe" alternative
7. Support for @JsonIncludeProperties (opposite of @JsonIgnoreProperties) #1296
   • NOTE: finally implement in Jackson 2.1

In addition, during development of 2.9, couple of new great ideas surfaced, but could not yet be implemented due to time constraints:

• Low-level String post-processor? jackson-core#355
• Comma-separated "ints in a String" #1242
• Support for automated FormatSchema configuration/lookup: #1582
  • Would be especially useful for cases where caller does not have full control; for example, when using as extension for frameworks like JAX-RS
• @JsonUnwrapped improvements, which need major rewrite of unwrapped deserialization:
  • Support for @JsonUnwrapped as @JsonCreator parameter
  • Catching "unknown" properties

Ideally the next minor version (or, as the case may be, major...) -- 3.0 -- would start by considering these features as the starting Big Ticket item list.

---

• #103: Add JsonInclude.Include.CUSTOM, properties for specifying filter(s) to use
• #104: Add new properties in @JsonSetter: nulls/contentNulls
• #105: Add @JsonFormat.lenient to allow configuring lenience of date/time deserializers
• #108: Allow @JsonValue on fields
• #109: Add enabled for @JsonAnyGetter, @JsonAnySetter, to allow disabling via mix-ins
• #113: Add @JsonMerge to support (deep) merging of properties
• #116: Add @JsonAlias annotation to allow specifying alternate names for a property
• Allow use of @JsonView on classes, to specify Default View to use on non-annotated properties.

• #17: Add 'JsonGenerator.writeString(Reader r, int charLength)'
• #57: Add support for non-blocking ("async") JSON parsing
• #208: Make use of _matchCount in FilteringParserDelegate
• #306: Add new method in JsonStreamContext to construct JsonPointer
• #312: Add JsonProcessingException.clearLocation() to allow clearing possibly security-sensitive information
• #314: Add a method in JsonParser.isNan() to allow checking for "NaN" values
• #323: Add JsonParser.ALLOW_TRAILING_COMMA to work for Arrays and Objects
• #325: DataInput backed parser should handle EOFException at end of doc
• #356: Improve indication of "source reference" in JsonLocation wrt byte[],char[]
• #374: Minimal and DefaultPrettyPrinter with configurable separators

• #219: SqlDateSerializer does not obey SerializationConfig.Feature.WRITE_DATES_AS_TIMESTAMPS
• #291: @JsonTypeInfo with As.EXTERNAL_PROPERTY doesn't work if external type property is referenced more than once
• #357: StackOverflowError with contentConverter that returns array type
• #383: Recursive @JsonUnwrapped (child with same type) fail: "No _valueDeserializer assigned"
• #403: Make FAIL_ON_NULL_FOR_PRIMITIVES apply to primitive arrays and other types that wrap primitives
• #476: Allow "Serialize as POJO" using @JsonFormat(shape=Shape.OBJECT) class annotation
• #507: Support for default @JsonView for a class
• #888: Allow specifying custom exclusion comparator via @JsonInclude, using JsonInclude.Include.CUSTOM
• #994: DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS only works for POJOs, Maps
• #1029: Add a way to define property name aliases
• #1035: @JsonAnySetter assumes key of String, does not consider declared type
• #1106: Add MapperFeature.ALLOW_COERCION_OF_SCALARS for enabling/disabling coercions
• #1284: Make StdKeySerializers use new JsonGenerator.writeFieldId() for int/long keys
• #1320: Add ObjectNode.put(String, BigInteger)
• #1341: DeserializationFeature.FAIL_ON_MISSING_EXTERNAL_TYPE_ID_PROPERTY
• #1347: Extend ObjectMapper.configOverrides() to allow changing visibility rules
• #1356: Differentiate between input and code exceptions on deserialization
• #1369: Improve @JsonCreator detection via AnnotationIntrospector by passing MappingConfig
• #1371: Add MapperFeature.INFER_CREATOR_FROM_CONSTRUCTOR_PROPERTIES to allow disabling use of @CreatorProperties as explicit @JsonCreator equivalent
• #1376: Add ability to disable JsonAnySetter/JsonAnyGetter via mixin
• #1399: Add support for @JsonSetter(merge=OptBoolean.TRUE) to allow "deep update"
• #1402: Use @JsonSetter(nulls=...) to specify handling of null values during deserialization
• #1406: ObjectMapper.readTree() methods do not return null on end-of-input
• #1407: @JsonFormat.pattern is ignored for java.sql.Date valued properties
• #1428: Allow @JsonValue on a field, not just getter
• #1454: Support @JsonFormat.lenient for java.util.Date, java.util.Calendar
• #1480: Add support for serializing boolean/Boolean as number (0 or 1)
• #1520: Case insensitive enum deserialization feature.
• #1522: Global @JsonInclude(Include.NON_NULL) for all properties with a specific type
• #1552: Map key converted to byte array is not serialized as base64 string
• #1554: Support deserialization of Shape.OBJECT ("as POJO") for Maps (and map-like types)
• #1556: Add ObjectMapper.updateValue() method to update instance with given overrides
• #1583: Add a DeserializationFeature.FAIL_ON_TRAILING_TOKENS to force reading of the whole input as single value
• #1605: Allow serialization of InetAddress as simple numeric host address
• #1678: Rewrite StdDateFormat ISO-8601 handling functionality

• #13: Add support for Avro default values
• #14: Add support for Avro annotations via AvroAnnotationIntrospector
• #15: Add a way to produce "file" style Avro output
• #56: Replace use of BinaryDecoder with direct access
• #57: Add support for @Stringable annotation
• #59: Add support for @AvroAlias annotation for Record/Enum name evolution
• #60: Add support for @Union and polymorphic types
• #63: Implement native float handling for parser
• #69: Add support for @AvroEncode annotation
• #95: Add new method, withUnsafeReaderSchema in AvroSchema to allow avoiding verification exception
• Upgrade avro-core dep from 1.7.7 to 1.8.1

• #127: Add CsvGenerator.Feature.ALWAYS_QUOTE_EMPTY_STRINGS to allow forced quoting of empty Strings
• #130: Add fluent addColumns operation to CsvSchema.Builder
• #137: Inject "missing" trailing columns as nulls (CsvParser.Feature.INSERT_NULLS_FOR_MISSING_COLUMNS)
• #139: Add CsvParser.Feature.ALLOW_TRAILING_COMMA to allow enforcing strict handling
• #140: Fail for missing column values (CsvParser.Feature.FAIL_ON_MISSING_COLUMNS)
• #142: Add methods for appending columns of a CsvSchema into another
• Add new exception type CsvMappingException to indicate CSV-mapping issues (and give access to effective Schema)

• #64: Implement native float handling for parser
• #68: Getting "type not supported as root type by protobuf" for serialization of short and UUID types
• #79: Fix wire type for packed arrays

• #1: Add convenience method(s) for reading System properties
• #3: Write into Properties instance (factory, mapper) using JavaPropsMapper.writeValue() with Properties and JavaPropsMapper.writeValueAsProperties()
• #4: Allow binding from Properties instance

• #162: XML Empty tag to Empty string in the object during xml deserialization
• #232: Implement writeRawValue in ToXmlGenerator
• #245: Default DeserializationFeature.ACCEPT_EMPTY_STRING_AS_NULL_OBJECT to "enabled" for XmlMapper
• #246: Add new feature, FromXmlParser.Feature.EMPTY_ELEMENT_AS_NULL
• #250: Deserialization of Exception serialized as XML fails

• #67: Add YAMLGenerator.Feature.INDENT_ARRAYS
• #76: Add YAMLGenerator.Feature.LITERAL_BLOCK_STYLE for String output

• #3: (datatype) Add Serialization Support for Streams
• #20: (datetime) Allow LocalDate to be serialized/deserialized as number (epoch day)
• #21: (datetime) DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS not respected

• #119: dependencies property should not be an Array but Object