1. 9
  1. 2

    The transitive dependencies of Cheshire also include Jackson’s databind module, which contains over 68,000 lines of Java and has been subject to many published CVEs.

    I feel like Jackson databind is the root cause of nearly half the vulnerability reports we used to get, before we added it to exclusions. If you use Cheshire, I highly recommend adding databind to the exclusions list; it will continue to work great without it.

    jsonista takes Cheshire as its performance low-water mark, but utilises Jackson databind’s object mapper directly to maximise performance.

    It would make me really nervous to build your entire parsing strategy around a library with such an awful track record TBH.