Skip to content

build(deps): Bump jackson to 2.21.3#19528

Merged
FrankChen021 merged 2 commits into
apache:masterfrom
amaechler:bump-jackson-2.21
May 29, 2026
Merged

build(deps): Bump jackson to 2.21.3#19528
FrankChen021 merged 2 commits into
apache:masterfrom
amaechler:bump-jackson-2.21

Conversation

@amaechler
Copy link
Copy Markdown
Contributor

@amaechler amaechler commented May 28, 2026

Description

This PR bumps jackson (2.20.2 to 2.21.3) and adds a missing license entry for org.jspecify:jspecify in extensions-core/kubernetes-extensions.

Bumped Jackson to 2.21.3

Jackson 2.21 changed the default resolution behaviour when @JacksonInject and @JsonProperty annotate the same parameter: the injected value now wins over the JSON value, where 2.20 treated the inject as a fallback used only when JSON did not supply one. This affects DruidNode's serviceName, port, and tlsPort parameters, which carry both annotations with the expectation that JSON config values win when present; everywhere else the annotations are on distinct parameters and are unaffected. See Most Wanted Feature: Injection-only @JacksonInject in the release blog post.

Restored JSON-input precedence on DruidNode

Added the explicit useInput = OptBoolean.TRUE to the three @JacksonInject annotations on DruidNode's constructor parameters so that JSON wins over inject.

Release note

Dependency Bumps:

  • jackson: 2.20.2 → 2.21.3

If external code has both @JacksonInject and @JsonProperty on the same parameter and relies on the JSON value winning when supplied, add the explicit useInput = OptBoolean.TRUE to the annotation (or stay on Jackson 2.20.x). All such sites in Druid itself have been updated.

This PR has:

  • been self-reviewed.
  • a release note entry in the PR description.
  • added or updated version, license, or notice information in licenses.yaml
  • added unit tests or modified existing tests to cover new code paths, ensuring the threshold for code coverage is met.

@amaechler
Bump jackson to 2.21.3
59701a2 
Jackson 2.21 (issue apache#1381) changed the default resolution of
@JacksonInject when combined with @JsonProperty on the same parameter:
the injected value now wins over the JSON value, where 2.20 treated
the inject as a fallback used only when JSON did not supply one.

DruidNode's serviceName, port, and tlsPort parameters carry both
annotations, with JSON expected to win when supplied — this is how
DruidNode JSON config files have always worked. Add the explicit
useInput = OptBoolean.TRUE to restore that contract.

A repo-wide audit confirmed DruidNode's three parameters are the only
sites in Druid where @JacksonInject and @JsonProperty annotate the
same parameter; everywhere else the annotations are on distinct
parameters and are unaffected.

Also adds the previously-missing license entry for org.jspecify:jspecify
1.0.0 in extensions-core/kubernetes-extensions, which the
check-licenses dependency report flagged.
FrankChen021
FrankChen021 reviewed May 28, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@FrankChen021 FrankChen021 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Severity Findings
P0 0
P1 1
P2 0
P3 0
Total 1
Severity Findings
P0 0
P1 1
P2 0
P3 0
Total 1

Reviewed 3 of 3 changed files.

This is an automated review by Codex GPT-5.5

Comment thread server/src/main/java/org/apache/druid/server/DruidNode.java
@amaechler
Preserve @JacksonInject metadata in GuiceAnnotationIntrospector
2c0b790 
findInjectableValue was returning JacksonInject.Value.forId(id), which
strips useInput and optional from the original annotation. Production
deserialization happens to remain correct under jackson 2.21 because
AnnotationIntrospectorPair.findInjectableValue falls back to the
secondary (default Jackson) introspector and merges the recovered
useInput onto the primary's Value via withUseInput.

That fallback is undocumented as part of the introspector contract and
would silently regress if the pair semantics change, or if this
introspector were ever installed standalone for a special-purpose
mapper. Construct the Value via JacksonInject.Value.from(annotation)
.withId(id) so the introspector returns a complete Value on its own
and no longer relies on the pair to fix it up.

The annotation lookup is hoisted to the top of findInjectableValue so
the non-null contract between it and findGuiceInjectId is explicit —
findGuiceInjectId now documents the precondition and trusts the caller
to verify, eliminating the duplicate getAnnotation call.

Defensive cleanup motivated by FasterXML/jackson-databind#1381; no
observable behavior change.
FrankChen021
FrankChen021 reviewed May 29, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@FrankChen021 FrankChen021 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I reviewed the follow-up. The author update preserves the JacksonInject flags directly, so the previous concern is handled and I found no new issues.

Reviewed 4 of 4 changed files.

This is an automated review by Codex GPT-5.5

@FrankChen021 FrankChen021 merged commit 2f35573 into apache:master May 29, 2026
38 checks passed
@github-actions github-actions Bot added this to the 38.0.0 milestone May 29, 2026
@amaechler amaechler deleted the bump-jackson-2.21 branch May 29, 2026 18:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@FrankChen021 FrankChen021 FrankChen021 approved these changes

Assignees

No one assigned

Labels

Area - Dependencies

Projects

None yet

Milestone

38.0.0

Development

Successfully merging this pull request may close these issues.

2 participants

@amaechler @FrankChen021