Upgrade to Jackson Bom 2.21.1

[breun]

jackson-core 2.19.4, as used in Spring Boot 3.5.11, is affected by Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition.

I've asked the Jackson project if there will be a 2.19.x patch update with the fix, but I got response saying that Jackson 2.19 is no longer maintained and that 2.18 and 2.21 are the LTS releases that got updates (2.18.6, 2.21.1).

Looking at the release notes for Jackson 2.20 and 2.21, it looks like 2.19 to 2.21 should be a backwards compatible update in the context of Spring Boot 3.5 applications, because the JDK baseline changes for jackson-annotations, jackson-datatype-hibernate and jackson-jakarta-providers won't affect Spring Boot 3.5 applications which already requires Java 17 or later due to the use of Spring Boot 3.5.

[wilkinsona]

We discussed this today and we're going to take the unusual step of upgrading to a new minor.

[wilkinsona]

Attention required:

Jackson has been upgraded to 2.21.1 in response to the Jackson team ending support for Jackson 2.19.x and 2.20.x.

[JavaDevaraj]

Could you please let me know when is the next release of 3.5.x i,e 3.5.12 ?

[breun]

Could you please let me know when is the next release of 3.5.x i,e 3.5.12 ?

You can check the dates of the milestones. 3.5.12 is currently scheduled for March 19th.