1. 9
    1. 2

      The transitive dependencies of Cheshire also include Jackson’s databind module, which contains over 68,000 lines of Java and has been subject to many published CVEs.

      I feel like Jackson databind is the root cause of nearly half the vulnerability reports we used to get, before we added it to exclusions. If you use Cheshire, I highly recommend adding databind to the exclusions list; it will continue to work great without it.

      jsonista takes Cheshire as its performance low-water mark, but utilises Jackson databind’s object mapper directly to maximise performance.

      It would make me really nervous to build your entire parsing strategy around a library with such an awful track record TBH.