Upgrade jackson dependencies to 2.21.1

[sebastian-j-ibanez]

Changes made

• Update the following com.fasterxml.jackson dependencies to 2.21.1:

  • jackson-databind
  • jackson-annotation
  • jackson-dataformat-xml
  • jackson-datatype-jsr310
  • jackson-jaxrs-json-provider

  This upgrade does not introduce any breaking changes.

  No additional unit tests fail after the upgrade.

---

Summary by cubic

Upgraded Jackson to 2.21.1 and centralized the version in the pom, addressing Linear issue 2322. No breaking changes; all tests pass.

• Dependencies
  • Added jackson.version=2.21.1 and applied to databind, jsr310, module-jaxb-annotations, dataformat-xml, and jaxrs-json-provider.
  • Updated lock files to reflect 2.21.x across Jackson artifacts.

^{Written for commit 09953b8. Summary will update on new commits.}

Summary by Sourcery

Upgrade Jackson dependencies to a centralized 2.21.1 version across the project.

Enhancements:

• Centralize the Jackson version in the Maven POM via a jackson.version property and apply it to all Jackson dependencies.

Build:

• Update dependency lock files to reflect Jackson 2.21.1 versions.

[qodo-code-review]

Review Summary by Qodo

Upgrade Jackson dependencies to 2.21.1

✨ Enhancement

Walkthroughs

Description

• Upgrade Jackson dependencies from 2.19.2 to 2.21.1
• Add centralized Jackson version property in pom.xml
• Update dependency lock files with new checksums
• Consolidate version management for all Jackson modules

Diagram

flowchart LR
  A["Jackson 2.19.2"] -- "upgrade" --> B["Jackson 2.21.1"]
  B -- "update" --> C["pom.xml"]
  B -- "update" --> D["dependencies-lock.json"]
  B -- "update" --> E["dependencies-lock-modern.json"]
  C -- "add property" --> F["jackson.version"]

Loading

File Changes

1. pom.xml Dependencies +7/-5

Centralize Jackson version management

• Add new jackson.version property set to 2.21.1
• Update all Jackson dependency versions from 2.19.2 to use ${jackson.version}
• Affected modules: jackson-databind, jackson-datatype-jsr310, jackson-module-jaxb-annotations,
 jackson-dataformat-xml, jackson-jaxrs-json-provider

pom.xml

---

2. dependencies-lock.json Dependencies +16/-16

Update Jackson dependencies and checksums

• Update jackson-annotations from 2.19.2 to 2.21
• Update jackson-core from 2.19.2 to 2.21.1
• Update jackson-databind from 2.19.2 to 2.21.1
• Update jackson-dataformat-xml from 2.19.2 to 2.21.1
• Update jackson-datatype-jsr310 from 2.19.2 to 2.21.1
• Update jackson-jaxrs-base from 2.19.2 to 2.21.1
• Update jackson-jaxrs-json-provider from 2.19.2 to 2.21.1
• Update jackson-module-jaxb-annotations from 2.19.2 to 2.21.1
• Update integrity checksums for all upgraded Jackson modules

dependencies-lock.json

---

3. dependencies-lock-modern.json Dependencies +16/-16

Update Jackson dependencies and checksums

• Update jackson-annotations from 2.19.2 to 2.21
• Update jackson-core from 2.19.2 to 2.21.1
• Update jackson-databind from 2.19.2 to 2.21.1
• Update jackson-dataformat-xml from 2.19.2 to 2.21.1
• Update jackson-datatype-jsr310 from 2.19.2 to 2.21.1
• Update jackson-jaxrs-base from 2.19.2 to 2.21.1
• Update jackson-jaxrs-json-provider from 2.19.2 to 2.21.1
• Update jackson-module-jaxb-annotations from 2.19.2 to 2.21.1
• Update integrity checksums for all upgraded Jackson modules

dependencies-lock-modern.json

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. Jackson version skew 🐞 Bug ⛯ Reliability

Description

Both lockfiles resolve jackson-annotations to 2.21 while other Jackson components are 2.21.1,
even though pom.xml introduces a single ${jackson.version}=2.21.1. This weakens dependency
clarity and increases the chance of future Jackson drift (and potential
NoSuchMethodError/classpath surprises) when other dependencies introduce Jackson transitively.

Code

dependencies-lock.json[R203-206]

    "groupId" : "com.fasterxml.jackson.core",
    "artifactId" : "jackson-annotations",
-    "version" : "2.19.2",
+    "version" : "2.21",
    "scope" : "compile",

Evidence

The build enforces the committed lockfile at validate, so whatever is in the lockfile is
effectively the truth for resolved dependency versions. Currently that truth is:
jackson-annotations is on 2.21 while jackson-core/jackson-databind are on 2.21.1. At the
same time, the pom establishes a single ${jackson.version}=2.21.1 and uses it for several Jackson
deps, but does not explicitly manage jackson-annotations/jackson-core, making the property
misleading and making future version alignment harder.

pom.xml[39-50]
pom.xml[655-681]
pom.xml[1810-1827]
dependencies-lock.json[203-222]
dependencies-lock-modern.json[203-222]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`pom.xml` introduces a single `${jackson.version}=2.21.1`, but the resolved lockfiles pin `jackson-annotations` to `2.21` while other Jackson components are `2.21.1`. This undermines the intent of a single Jackson version and can lead to future drift/confusion.

### Issue Context
The build enforces lockfiles during the `validate` phase via `dependency-lock-maven-plugin`, so the lockfile state is a hard contract.

### Fix Focus Areas
- pom.xml[39-50]
- pom.xml[655-681]
- pom.xml[1810-1827]
- dependencies-lock.json[203-222]
- dependencies-lock-modern.json[203-222]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on modernizing the project's dependency landscape by upgrading its core com.fasterxml.jackson libraries. The update brings the application's JSON and XML processing capabilities to a more recent and potentially more secure state, while ensuring backward compatibility and system stability through comprehensive testing.

Highlights

• Jackson Dependency Upgrade: Upgraded multiple com.fasterxml.jackson dependencies, including jackson-databind, jackson-dataformat-xml, jackson-datatype-jsr310, jackson-jaxrs-json-provider, jackson-annotations, jackson-core, jackson-jaxrs-base, and jackson-module-jaxb-annotations, to versions 2.21.1 (or 2.21 for jackson-annotations).
• Centralized Version Management: Introduced a new jackson.version property in pom.xml to centrally manage the versions of Jackson dependencies, improving maintainability.
• Compatibility and Stability: Confirmed that this dependency upgrade introduces no breaking changes and that all existing unit tests continue to pass, ensuring stability.

Changelog

• dependencies-lock-modern.json
  • Updated jackson-annotations from 2.19.2 to 2.21.
  • Updated jackson-core from 2.19.2 to 2.21.1.
  • Updated jackson-databind from 2.19.2 to 2.21.1.
  • Updated jackson-dataformat-xml from 2.19.2 to 2.21.1.
  • Updated jackson-datatype-jsr310 from 2.19.2 to 2.21.1.
  • Updated jackson-jaxrs-base from 2.19.2 to 2.21.1.
  • Updated jackson-jaxrs-json-provider from 2.19.2 to 2.21.1.
  • Updated jackson-module-jaxb-annotations from 2.19.2 to 2.21.1.
  • Updated corresponding integrity hashes for all upgraded dependencies.
• dependencies-lock.json
  • Updated jackson-annotations from 2.19.2 to 2.21.
  • Updated jackson-core from 2.19.2 to 2.21.1.
  • Updated jackson-databind from 2.19.2 to 2.21.1.
  • Updated jackson-dataformat-xml from 2.19.2 to 2.21.1.
  • Updated jackson-datatype-jsr310 from 2.19.2 to 2.21.1.
  • Updated jackson-jaxrs-base from 2.19.2 to 2.21.1.
  • Updated jackson-jaxrs-json-provider from 2.19.2 to 2.21.1.
  • Updated jackson-module-jaxb-annotations from 2.19.2 to 2.21.1.
  • Updated corresponding integrity hashes for all upgraded dependencies.
• pom.xml
  • Added a new property <jackson.version> with value 2.21.1.
  • Updated jackson-databind dependency to use the new ${jackson.version} property.
  • Updated jackson-datatype-jsr310 dependency to use the new ${jackson.version} property.
  • Updated jackson-module-jaxb-annotations dependency to use the new ${jackson.version} property.
  • Updated jackson-dataformat-xml dependency to use the new ${jackson.version} property.
  • Updated jackson-jaxrs-json-provider dependency to use the new ${jackson.version} property.

Activity

• No specific activity has been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 00a26497-5fce-4734-bf7b-32dd90d53214

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch issue-2322-upgrade-jackson

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

No issues found across 3 files

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Centralizes and upgrades all Jackson dependencies to version 2.21.1 via a new Maven property and refreshes dependency lock files accordingly.

File-Level Changes

Change	Details	Files
Centralize Jackson version management in Maven and upgrade all Jackson artifacts to 2.21.1.	Introduce a jackson.version Maven property set to 2.21.1. Replace hard-coded Jackson versions on core dependencies with the jackson.version property. Apply the new version to databind, JSR-310 datatype, JAXB annotations module, XML dataformat, and JAX-RS JSON provider dependencies.	pom.xml
Align dependency lock files with the upgraded Jackson versions.	Update modern dependency lock file entries for all Jackson artifacts to 2.21.x. Update legacy dependency lock file entries for all Jackson artifacts to 2.21.x.	dependencies-lock-modern.json dependencies-lock.json

Assessment against linked issues

Issue	Objective	Addressed	Explanation
#2322	Update all specified com.fasterxml.jackson dependencies (jackson-databind, jackson-datatype-jsr310, jackson-module-jaxb-annotations, jackson-dataformat-xml, jackson-jaxrs-json-provider) from version 2.19.2 to 2.21.1 in the project configuration.	✅

Possibly linked issues

• #[Dependency]: Update jackson dependencies 2.19.2 to 2.21.1: They match exactly: the PR updates all listed Jackson dependencies from 2.19.2 to 2.21.1 as requested.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[gemini-code-assist]

Code Review

This pull request upgrades Jackson dependencies to version 2.21.1 and centralizes the version management using a Maven property, which is a good improvement. My review focuses on ensuring consistency and suggesting further maintainability improvements.

I've noticed a version inconsistency in the generated lock files for jackson-annotations. Additionally, I've suggested using Jackson's Bill of Materials (BOM) in pom.xml for even better dependency management. Please see the detailed comments.

_{Note: Security Review has been skipped due to the limited scope of the PR.}

[sourcery-ai]

Hey - I've left some high level feedback:

• Since you're centralizing the Jackson version, consider importing the official jackson-bom in <dependencyManagement> instead of a single jackson.version property to ensure all present and future Jackson modules resolve to a consistent version automatically.
• Double-check for any other Jackson artifacts used transitively (e.g., jackson-annotations or jackson-core) that might not be pinned explicitly; aligning them to ${jackson.version} or the BOM would avoid version skew.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Since you're centralizing the Jackson version, consider importing the official `jackson-bom` in `<dependencyManagement>` instead of a single `jackson.version` property to ensure all present and future Jackson modules resolve to a consistent version automatically.
- Double-check for any other Jackson artifacts used transitively (e.g., `jackson-annotations` or `jackson-core`) that might not be pinned explicitly; aligning them to `${jackson.version}` or the BOM would avoid version skew.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}