The transitive dependencies of Cheshire also include Jackson’s databind module, which contains over 68,000 lines of Java and has been subject to many published CVEs.
I feel like Jackson databind is the root cause of nearly half the vulnerability reports we used to get, before we added it to exclusions. If you use Cheshire, I highly recommend adding databind to the exclusions list; it will continue to work great without it.
jsonista takes Cheshire as its performance low-water mark, but utilises Jackson databind’s object mapper directly to maximise performance.
It would make me really nervous to build your entire parsing strategy around a library with such an awful track record TBH.
I feel like Jackson databind is the root cause of nearly half the vulnerability reports we used to get, before we added it to exclusions. If you use Cheshire, I highly recommend adding databind to the exclusions list; it will continue to work great without it.
It would make me really nervous to build your entire parsing strategy around a library with such an awful track record TBH.