spray-json v1.3.5 Release NotesRelease Date: 2018-11-08 // about 1 year ago
👀 See the milestone for all changes.
🔒 Security fix for several Denial Of Service vulnerabilities:
- 📜 CVE-2018-18853: Limit the number of characters for numbers in the parser (#278)
- CVE-2018-18854: Use TreeMap instead of HashMap for JsObject to prevent collision attacks (#277)
- 📜 CVE-2018-18855: Fix uncontrolled recursion in parser by limiting nesting depth (#286)
Thanks, Andriy Plokhotnyuk who brought the first two issues to our attention.
📜 For some fixes, we added new limits to the parser:
- 0️⃣ Maximum depth of nested JSON values, defaults to 1000
- 0️⃣ Maximum characters for number values, defaults to 100
📜 We introduced a
JsonParserSettingsclass which can be used to customize these limits. New overloads for
String.parseJsonhave been introduced to specify custom settings.
🖨 Also, field ordering changed when printing a
jsValue.sortedPrintif you want to be sure fields are always ordered the same.
Previous changes from v1.3.4
🚀 This release is cross released for Scala 2.10, 2.11, 2.12 and 2.13-M2.
📚 It is mostly a small maintanance release in which some documentation was polished and for example the
sortedPrintprinter was added.
Specific source-compatibility breaking edge-case : While binary compatibility remains working in this release, there is one specific edge case which can happen and be not source-compatible when upgrading to this version. The method
def pimpStringwas made not-implicit, and replaced by
implicit def enrichString, so if you previously imported the implicit specifically by its name, i.e. rather than
import spray.json._you wrote
import spray.json.pimpStringcode relying on this change would now break. Please change it to import
_, which will bring in the required implicits.
For a complete list of closed issues please refer to the milestone.