Update dependency org.glassfish.jersey.media:jersey-media-json-jackson to v2.36

[mend-for-github-com]

This PR contains the following updates:

Package	Type	Update	Change
org.glassfish.jersey.media:jersey-media-json-jackson (source)	dependencies	minor	2.27 -> 2.36

By merging this PR, the below issues will be automatically resolved and closed:

Severity	CVSS Score	CVE	GitHub Issue
Critical	9.8	CVE-2019-10202	#41
Critical	9.8	CVE-2019-14379	#61
Critical	9.8	CVE-2019-14540	#2
Critical	9.8	CVE-2019-14892	#58
Critical	9.8	CVE-2019-14893	#55
Critical	9.8	CVE-2019-16335	#18
Critical	9.8	CVE-2019-16942	#36
Critical	9.8	CVE-2019-16943	#38
Critical	9.8	CVE-2019-17267	#21
Critical	9.8	CVE-2019-17531	#4
Critical	9.8	CVE-2019-20330	#66
Critical	9.8	CVE-2020-8840	#37
Critical	9.8	CVE-2020-9546	#60
Critical	9.8	CVE-2020-9547	#62
Critical	9.8	CVE-2020-9548	#63
High	8.8	CVE-2020-10672	#71
High	8.8	CVE-2020-10673	#72
High	8.8	CVE-2020-10968	#25
High	8.8	CVE-2020-10969	#26
High	8.8	CVE-2020-11111	#43
High	8.8	CVE-2020-11112	#46
High	8.8	CVE-2020-11113	#45
High	8.1	CVE-2020-10650	#135
High	8.1	CVE-2020-11619	#20
High	8.1	CVE-2020-11620	#30
High	8.1	CVE-2020-14060	#50
High	8.1	CVE-2020-14061	#52
High	8.1	CVE-2020-14062	#54
High	8.1	CVE-2020-14195	#73
High	8.1	CVE-2020-24616	#48
High	8.1	CVE-2020-24750	#56
High	8.1	CVE-2020-35490	#89
High	8.1	CVE-2020-35491	#93
High	8.1	CVE-2020-35728	#84
High	8.1	CVE-2020-36179	#98
High	8.1	CVE-2020-36180	#88
High	8.1	CVE-2020-36181	#87
High	8.1	CVE-2020-36182	#91
High	8.1	CVE-2020-36183	#90
High	8.1	CVE-2020-36184	#94
High	8.1	CVE-2020-36185	#92
High	8.1	CVE-2020-36186	#96
High	8.1	CVE-2020-36187	#95
High	8.1	CVE-2020-36188	#86
High	8.1	CVE-2020-36189	#85
High	8.1	CVE-2021-20190	#97
High	7.5	CVE-2019-12086	#3
High	7.5	CVE-2019-14439	#22
High	7.5	CVE-2020-25649	#83
High	7.5	CVE-2020-36518	#121
High	7.5	CVE-2022-42003	#141
High	7.5	CVE-2022-42004	#140
Medium	5.9	CVE-2019-12384	#32
Medium	5.9	CVE-2019-12814	#24

---

Release Notes

eclipse-ee4j/jersey (org.glassfish.jersey.media:jersey-media-json-jackson)

v2.36

Compare Source

[Issue 4781] - Bug Report: CDI tries to instantiate interface (Jersey 2.30)

[Issue 4851] - NettyConnectorProvider (jersey-netty-connector) is throwing an exception with inactive_pooled_connection_handler error

[Issue 4897] - Add support for Apache HTTP Client 5.x

[Issue 4978] - Netty Connector proxy handler to support JDK's options

[Issue 5014] - Redact HTTP headers on LoggingFeature

[Issue 5036] - ClassCastException if loaded by different class loaders in OSGi runtime

[Issue 5052] - Make JacksonFeature configurable

[Pull 4812] - Remove com.sun.org.apache.xml.internal

[Pull 4847] - Bug Report: CDI tries to instantiate interface (Jersey 2.30)

[Pull 4854] - NettyConnectorProvider (jersey-netty-connector) is throwing an except…

[Pull 4886] - Update Directory Maven Plugin to work with maven 3.8.x

[Pull 4887] - modulelist maven plugin refactoring

[Pull 4918] - Better handling of MicroProfile Rest Client Proxies

[Pull 4924] - Refactor processResponseError in ServerRuntime

[Pull 4928] - Adopt Jackson 2.13

[Pull 4933] - Replace usage of deprecated beanManager.createInjectionTarget

[Pull 4939] - Prevent loading Feature/DynamicFeature services multiple times.

[Pull 4948] - Add OSGi headers to MP Config module

[Pull 4950] - Apache httpclient 5

[Pull 4954] - Cache a lazy reference to OSGi registry instance

[Pull 4957] - Fix OSGi tests on JDK 17

[Pull 4962] - convert Long,long,Integer,int values to Long/Integer types

[Pull 4967] - extended condition not to add the content-length header negative

[Pull 4968] - Enable percent encoding servlet context path and servlet path

[Pull 4969] - Exclude unix protocols from request processing in closing strategy

[Pull 4972] - fix broken license url for asm objectweb

[Pull 4975] - Fix broken license url for asm objectweb for core-server

[Pull 4980] - Remove innate packages from javadoc documentation

[Pull 4982] - Allow for passing in additional property files to configure additional configs

[Pull 5003] - Fix logging delimiter parameterization

[Pull 5007] - Fix regression on LoggingFeature's max entity size

[Pull 5010] - honor @​Vetoed on a bean

[Pull 5018] - Update Xerces to prevent CVEs

[Pull 5024] - Fixed NullpointerException when getting methodtree

[Pull 5025] - Redact HTTP headers on LoggingFeature

[Pull 5028] - Enhancement for docprocessor

[Pull 5032] - Adopt spring 5.3.18

[Pull 5034] - Update Netty to 4.1.75

[Pull 5035] - Blocked thread if WebApplicationException is reused. #​4097

[Pull 5038] - reduce usage of Guava

[Pull 5039] - Release MessageBodyWorkers when Response gets closed.

[Pull 5041] - Adopt ASM 9.3

[Pull 5044] - Do not trim stacktrace in case of an exception

[Pull 5046] - Support null PROXY_USERNAME

[Pull 5048] - Netty Connector doesn't support Followredirects

[Pull 5051] - For OSGi services lookup use only classes assignable from service class

[Pull 5055] - Updated documentation and javadoc for Connectors

[Pull 5059] - Add Apache 5 connector to client tests

[Pull 5060] - Update hamcrest to the latest

[Pull 5068] - Prevent LoggingFeature timeout on context#hasEntity for HEADERS_ONLY

[Pull 5070] - Remove Spring 4 from Bom pom

[Pull 5071] - Update Netty proxy settings

[Pull 5074] - Make JacksonFeature configurable

[Pull 5076] - Update Jackson to 2.13.3

[Pull 5078] - Dependencies versions update

v2.35

Compare Source

[Issue 4742] - Connection timeout the double of what is configured

[Issue 4748] - Exception in Jersey Jetty handler's URL parsing bubbles up to the top

[Issue 4773] - NullPointerException in HeaderUtils.getPreferredCookie

[Pull 4779] - Enable to use @​Context in constructors of classes instantiated by CDI

[Pull 4783] - Support more optionals

[Pull 4784] - Bump commons-io from 2.2 to 2.7 in /test-framework/maven/custom-enforcer-rules

[Pull 4785] - JDK16 Support

[Pull 4789] - Make @​Singleton to be singleton with CDI integration

[Pull 4792] - Update groovy to work with jdk17

[Pull 4795] - Fix issue NullPointerException in HeaderUtils.getPreferredCookie #​4773

[Pull 4799] - Support custom parameter types with `Optional`

[Pull 4800] - Helloworld example extendned by GraalVM native-image generation

[Pull 4802] - User Guide: GraalVM/native-image chapter

[Pull 4803] - GraalVM native-image jersey-client module

[Pull 4809] - handle URISyntaxException in JettyHttpContainer

[Pull 4811] - Connection timeout the double of what is configured

[Pull 4816] - CI env for Jenkins

[Pull 4820] - CI env for Jenkins

[Pull 4821] - Jdk connector dead lock

[Pull 4822] - New CDI based EE injection manager incubating implementation.

[Pull 4823] - Issue4810

[Pull 4824] - JerseyTest is not compatible with JUnit 5

[Pull 4829] - ParamConverters cleanup

[Pull 4832] - Bump ant from 1.10.9 to 1.10.11

[Pull 4833] - Allow Feature and Dynamic feature as a JDK services

[Pull 4835] - Prevent NoSuchMethodError when used MP Rest Client 1.4 API & CDI

[Pull 4836] - Updated ASM to 9.2

[Pull 4837] - add possibility to use entity with http method Options in requests according to the RFC 7231

[Pull 4845] - Cache Application#getSingletons not be called twice

[Pull 4846] - Updated versions in 2.x

[Pull 4848] - System properties config for TimeWindowStatisticsImplTest

v2.34

Compare Source

[Issue 4646] - Jetty connector client response buffer is hard limited to 2MB

[Issue 4649] - SseEventSource cannot see the JAXRS_DEFAULT_SSE_BUILDER in OSGI

[Issue 4651] - Add a ParamConverterProvider for java.util.Optional parameters

[Issue 4654] - MicroProfile Rest Client 2.0 support

[Issue 4665] - Hk2RequestScope.Instance logger is not static

[Issue 4678] - JdkConnectorProvider cannot parse Set-cookie header value when expires attribute is present

[Issue 4683] - Setting ExecutorService causes connection leak

[Issue 4694] - NettyConnector fixups

[Issue 4717] - Add tests for newly updated Jersey classes by RestClient

[Issue 4722] - Jersey 3.0.1 no longer defaults to */* consumes

[Issue 4723] - Jackson module auto-discovery sets Jaxb Annotation Introspector as primary

[Issue 4734] - Print request/response logs in a single line

[Pull 4618] - Groovy jdk 16

[Pull 4639] - Chapter for Expect:100-continue header (client)

[Pull 4647] - Add support RFC 5987 for attribute filename* in HTTP header Content-Disposition

[Pull 4662] - #​4658 Apache HttpComponents upgrade

[Pull 4675] - Make logger static into Hk2RequestScope.Instance class

[Pull 4677] - Jetty synchronous max buffer size property

[Pull 4680] - 2.x apidocs bundle generation fixes

[Pull 4681] - JdkConnectorProvider cannot parse Set-cookie header value when expires

[Pull 4682] - Public SseEventSourceBuilder implementation

[Pull 4684] - Add a ParamConverterProvider for array support

[Pull 4690] - Add a ParamConverterProvider for java.util.Optional parameters

[Pull 4695] - Allow for having CDI on pure Jersey Client without Jersey Server

[Pull 4697] - Stop filling monitoring queues when processor fails

[Pull 4699] - MicroProfile Rest Client 2.0 support

[Pull 4704] - Updated javadoc maven plugin API link

[Pull 4705] - Do not create a connector multiple times for each rx() call

[Pull 4707] - Configurable COLLISION_BUFFER_POWER

[Pull 4710] - Adjusting Jersey archetypes

[Pull 4712] - switching to NIO tmp file creation approach

[Pull 4714] - update maven-antrun-plugin to 3.0.0

[Pull 4716] - Custom schedulers to execute @​PreDestroy methods

[Pull 4720] - Updating ant to 1.10.9 for antrun plugin

[Pull 4724] - Rest client 2.0 updates

[Pull 4728] - Add a wildcard @​Produces and @​Consumes...

[Pull 4729] - Empty/NULL properties handling

[Pull 4731] - processing order for Jackson/Jaxb annotations

[Pull 4732] - adjusting examples to be run with optional JAXB

[Pull 4745] - Logging delimiter parametrized

[Pull 4749] - Allow to use @​Inject instead of @​Context with CDI

[Pull 4753] - Proper handling of chunked input streams in LoggingInterceptor

[Pull 4754] - Adopt ASM 9.1 to support JDK 17

[Pull 4758] - Adopted Jackson 2.12.2. No change in repackaged Jackson.

[Pull 4762] - Replace null Configuration in ContainerRequest with an empty instance

[Pull 4764] - Lazy synchronized SSL Context initialization in the HttpUrlConnector

[Pull 4766] - Add a default Enum MB provider.

[Pull 4769] - Updated properties for netty connection pooling

[Pull 4770] - Javadoc for non-public classes (cdi-rs-inject)

v2.33

Compare Source

[Pull 4566] - Fix custom SSLSocketFactory not being set because of an unsafe lazy-initialization in JDK

[Pull 4573] - Support for SSL Configuration within JerseyTest

[Pull 4593] - Rest client inbound headers provider added

[Pull 4605] - Bump junit from 4.12 to 4.13.1

[Pull 4611] - Create PropertiesClass for external properties (http.proxyHost, http.proxyPort, http.nonProxyHosts)

[Pull 4612] - Adopt Jackson 2.11.3

[Pull 4613] - HttpUrlConnector extension

[Pull 4614] - NettyConnector connection close

[Pull 4615] - Allow for org.glassfish.jersey.servlet.ServletContainer in web.xml

[Pull 4623] - full clear of NettyInputStream

[Pull 4634] - Make JAX-B API optional

[Pull 4641] - Support for new property to ignore responses in exceptions thrown by the Client API

[Pull 4643] - Enable CompletionStage unwrap in MBW

[Pull 4648] - Keep ordering of classes and instances retrieved from ComponentBag

[Pull 4663] - Modify OSGi Jackson requirement to be compatible with GF 5.1

v2.32

Compare Source

[Issue 4462] - InvocationInterceptors only used once when registered on a Client.

[Issue 4493] - ChunkedOutput race condition

[Issue 4500] - JerseyEventSink shouln't throw exceptions in Flow.Subscriber methods

[Issue 4501] - SSE Endpoint should be able to inject Flow.Subscriber

[Issue 4507] - Intermittent HK2 ServiceLocatorImpl has been shut down

[Issue 4522] - org.glassfish.jersey.logging.LoggingInterceptor.LoggingStream does not override write(byte[] b, int off, int len)

[Issue 4533] - “NoSuchMethodErrors” due to multiple versions of org.apache.maven:maven-artifact:jar

[Issue 4536] - Missing Expect header and 100-continue handling in Jersey Client

[Issue 4538] - Features are executed in random order

[Issue 4542] - Loose dependency in CompositeInjectingConstraintValidatorFactory

[Issue 4548] - Netty connector timeouts are not heeded

[Pull 4485] - Note the subscription to email list and Twitter link in Readme

[Pull 4498] - Fix resources in containers

[Pull 4502] - Added Documentation for JSON-B support

[Pull 4503] - SSE Flow.Subscriber injectable as event sink

[Pull 4506] - Clean unused dependencies

[Pull 4508] - Fix intermittent premature ClientRuntime finalization

[Pull 4511] - Fixed HK2 AbstractActiveDescriptor Test

[Pull 4512] - project-info plugin configuration

[Pull 4514] - Implemented ClientBuilderListener

[Pull 4520] - Test Gzip + JSP

[Pull 4523] - Response.hasEntity to return true if buffered after readEntity

[Pull 4525] - Allow concurrent Exception to be unwrapped for the ExceptionMapper

[Pull 4526] - Regexp on MP RestClient @​Path

[Pull 4528] - Support TLSv1.3

[Pull 4531] - Fix #​4522 - override write method in LoggingStream

[Pull 4540] - Allow for specifying Feature processing order

[Pull 4541] - Make Kryo use setRegistrationRequired(true) by default

[Pull 4543] - Rest client update to version 1.4.1

[Pull 4559] - Updating maven-javadoc-pugin to 3.2.0

[Pull 4561] - JAX-RS link fixes (new apidocs location)

[Pull 4567] - updateing dependencies for jersey-doc-modulelist-maven-plugin

[Pull 4569] - Use Helidon Connector from Helidon

[Pull 4571] - Prevent race condition in ChunkedOutput

[Pull 4574] - Fix issue with optional CDI in BV module

[Pull 4576] - Expect:100-Continue header handling

[Pull 4577] - RestClientListener call switched

[Pull 4578] - TimeOut property for Netty Connector

[Pull 4579] - attributeValue NPE handling

[Pull 4580] - Put Helidon Properties file back

[Pull 4581] - Support Apache HttpEntity as an entity type when using Apache Connector

[Pull 4582] - Add Helidon module to bom pom and remove Jackson 1

v2.31

Compare Source

[Issue 4362] - Upgrade Hibernate Validator to 6.1.0.Final

[Issue 4458] - ApacheConnector force the useSystemProperties flag to false

[Pull 4375] - Fixed #​3801 - inject cdi into custom validator

[Pull 4414] - Use standard pom.xml structure in tests/integration/microprofile

[Pull 4415] - Use request scope ClientProperties.READ_TIMEOUT in Jetty && Netty

[Pull 4419] - Allow to use HeaderDelegateProvider to parse the response MediaType

[Pull 4425] - Updated GF, Jetty, Mimepull, Moxy, Yasson dependencies

[Pull 4426] - Support jdk15

[Pull 4429] - Make sure the RX invoker gets ExecutorService from Provider

[Pull 4431] - Adopt ASM 8.0

[Pull 4432] - Upgraded bean validation to 6.1.2.Final

[Pull 4438] - Fix jersey examples

[Pull 4441] - Fix some build warnings and a multithread warning, when building with…

[Pull 4442] - JerseyInvocation should override toString()

[Pull 4447] - feat: allow json-jackson to auto-discover modules

[Pull 4450] - When no JAX-B RI on CP warn and disable WADL

[Pull 4453] - jersey-2031

[Pull 4459] - Activate useSystemProperties into ApacheConnector (#​4458)

[Pull 4460] - Offer the Client (partial) response in ProcessingException.

[Pull 4461] - Allow the user for overriding the default Viewable MediaType

[Pull 4466] - Updated NOTICE files and regarding legal information

[Pull 4467] - Be able to use invocation interceptor for multiple requests

[Pull 4469] - ClientDestroyTest fix

[Pull 4471] - Run tests with JDK11 in servlet-2.5-mvc-1

[Pull 4472] - Set additional security features on SecureSaxParserFactory.

[Pull 4473] - Execute tests in servlet-2.5-mvc-3

[Pull 4475] - Set Bundle-ActivationPolicy on core-common module

[Pull 4477] - Connector to Helidon 2 Web Client

[Pull 4482] - javadoc fix for helidon connector

[Pull 4483] - Moved localization messages to a proper folder

v2.30.1

Compare Source

[Issue 4369] - NettyConnectorProvider (jersey-netty-connector) doesn't send query parameters in the Get Request

[Issue 4380] - Jersey 2.30 does not work on JDK 11

[Issue 4388] - Jerey 2.30 breaks HK2 AbstractBinder injection in Features

[Pull 4339] - Adopt Jackson 2.10.1

[Pull 4364] - Updated checkstyle plugin to latest 3.1.0

[Pull 4366] - Multi release sources

[Pull 4371] - Jersey Configuration documentation

[Pull 4373] - Fixed stacktraces caused by incorrect JNDI lookup

[Pull 4376] - [#​3651] Broken links in examples README files

[Pull 4377] - [#​3726] Typo in preface

[Pull 4378] - [#​3720] Incorrect method in the documentation

[Pull 4386] - Fix #​4380 - Jersey 2.30 does not work on JDK 11

[Pull 4387] - netty connector/container modifications

[Pull 4390] - Fix #​3433 - Multiple cookies with same name are not supported

[Pull 4393] - Query parameters were not included in netty URI

[Pull 4394] - Allow HK2 AbstractBinder class to bind before the Feature is called

[Pull 4396] - Preparation for GF 6

v2.30

Compare Source

[Issue 4245] - Java 11 java.desktop module dependency

[Issue 4256] - HK2 AbstractBinders are configured twice

[Issue 4266] - Fix HeaderDelageProvider functionality

[Issue 4294] - Inefficient access of LinkedList in Resource$Builder.mergeResources

[Issue 4302] - Jetty 9.4.22 QueuedThreadPool compatibility

[Issue 4304] - ResourceConfig not properly using specified ClassLoader

[Issue 4325] - Build Jersey on JDK13

[Issue 4336] - Allow to use a connector with RESTClient

[Issue 4344] - Jersey 2.29 AbstractBinder.configure() called twice

[Pull 4254] - Wiremock does not run now when skipTests property is set as true

[Pull 4258] - Loading keystore resource if location starts with /

[Pull 4260] - Jersey documentation scripts

[Pull 4268] - Use locale insensitive case changes to ensure user code doesn't break…

[Pull 4271] - Do not handle already handled requests on Jetty

[Pull 4272] - AsyncInvocationinverceptors not properly created for each request

[Pull 4273] - DocBook fixes

[Pull 4274] - JsonBindingProvider provides JSON-B (not Jackson)

[Pull 4275] - Throwing NoContentException when InputStream is empty

[Pull 4276] - Allow for using HeaderDelegateProvider service

[Pull 4277] - HK2 to skip fields injected by CDI in non bean-defining-annotated beans

[Pull 4279] - Update ASM to 7.2

[Pull 4280] - Move CDI integration tests to a common CDI-Integration module

[Pull 4283] - Enable to use AsyncInvoker in Rx client

[Pull 4290] - release notes maven plugin (for Jersey)

[Pull 4291] - Ignore tests of container-runner-maven-plugin on Windows

[Pull 4292] - Assure that exception in async interceptor doesn't prevent completion

[Pull 4296] - exclude javax.validation-api from bean validation dependency

[Pull 4298] - Take Hk2CustomBoundTypesProvider into an account

[Pull 4300] - Performance improvement in Resource.Builder#mergeResources

[Pull 4301] - New client PreInvocationInterceptor and PostInvocationInterceptor SPI

[Pull 4303] - Make JettyConnectorThreadPool#newThread public to comply with latest Jetty

[Pull 4306] - Fixes #​4304: ResourceConfig not properly using specified ClassLoader

[Pull 4307] - Use Spring Context 4 in the Spring integration test

[Pull 4309] - Spring 5 integration tests

[Pull 4312] - Rewritten Netty Jersey implementation using direct ByteBuf consumption

[Pull 4313] - new InvocationBuilderListener SPI

[Pull 4314] - Override HK2 dependency versions with versions used in Jersey

[Pull 4317] - Added deprecated methods back to retain backwards compatibility

[Pull 4318] - Close SseEventSink at the end of the example

[Pull 4327] - Allow to use additional properties with security manager/4323

[Pull 4338] - Fix issues with ChunkedInputStream when using Apache Connector

[Pull 4341] - Build Jersey on JDK13

[Pull 4342] - Allow to disable certain default providers

[Pull 4347] - ConnectorProvider support added to mp rest client

[Pull 4349] - Prevent HK2 AbstractBinder from being configured twice.

[Pull 4350] - Updated versions of 3rd party content

[Pull 4352] - Replace an Exception thrown with BAD_REQUEST

[Pull 4353] - OSGI groupId fix

[Pull 4358] - initialize legal.source.folder property by plugin

[Pull 4359] - Fix check style

[Pull 4360] - Legal files for common

[Pull 4361] - Properties and plugin change of examples module for legal files

v2.29.1

Compare Source

Issues and Pull Requests

• [Pull 4243] - Fixes #​4239 MediaType in method parameter not overridden by annotation
• [Pull 4240] - Jakarta api integration
• [Pull 4238] - Provide an Apache HttpClientBuilder configuration callback
• [Pull 4236] - Issue 4208 - Fails to inject SecurityContext into Helloworld-CDI2-SE example
• [Pull 4235] - Fix issue with OSGi when having package name starting with "class"
• [Pull 4234] - Updated HK2 version
• [Pull 4233] - Enable Spring4 integration test again
• [Pull 4227] - Using configured executor service for client.
• [Pull 4225] - Add an option to not register the Jackson's ExceptionMappers by JacksonFeature
• [Pull 4224] - Upgrade of MP Rest client to 1.3.3.
• [Pull 4222] - Fix NettyInputStream ByteBuf leak
• [Pull 4221] - Better specify HK2 and Spring dependencies
• [Issue 4214] - Jersey with Jackson exposes that fact to a potential attacker sending misformed JSON data
• [Pull 4212] - Update Apache HTTP Client to 4.5.9
• [Pull 4206] - Fixed: Various bugs in Helloworld CDI SE Example
• [Pull 4204] - Prevent race condition in entity filtering
• [Pull 4203] - Removed invalid email addresses
• [Pull 4202] - Added support for Apache HTTP Client ConnectionKeepAliveStrategy and ConnectionReuseStrategy
• [Pull 4201] - Upgrade jetty to version 9.4