spray-json v1.3.5 Release Notes

Release Date: 2018-11-08 // about 1 year ago
  • 👀 See the milestone for all changes.

    🔒 Security fix for several Denial Of Service vulnerabilities:

    • 📜 CVE-2018-18853: Limit the number of characters for numbers in the parser (#278)
    • CVE-2018-18854: Use TreeMap instead of HashMap for JsObject to prevent collision attacks (#277)
    • 📜 CVE-2018-18855: Fix uncontrolled recursion in parser by limiting nesting depth (#286)

    Thanks, Andriy Plokhotnyuk who brought the first two issues to our attention.

    Migration Notes

    📜 For some fixes, we added new limits to the parser:

    • 0️⃣ Maximum depth of nested JSON values, defaults to 1000
    • 0️⃣ Maximum characters for number values, defaults to 100

    📜 We introduced a JsonParserSettings class which can be used to customize these limits. New overloads for JsonParser.apply and String.parseJson have been introduced to specify custom settings.

    🖨 Also, field ordering changed when printing a JsValue. Use jsValue.sortedPrint if you want to be sure fields are always ordered the same.


Previous changes from v1.3.4

  • 🚀 This release is cross released for Scala 2.10, 2.11, 2.12 and 2.13-M2.

    📚 It is mostly a small maintanance release in which some documentation was polished and for example the sortedPrint printer was added.

    Specific source-compatibility breaking edge-case : While binary compatibility remains working in this release, there is one specific edge case which can happen and be not source-compatible when upgrading to this version. The method def pimpString was made not-implicit, and replaced by implicit def enrichString, so if you previously imported the implicit specifically by its name, i.e. rather than import spray.json._ you wrote import spray.json.pimpString code relying on this change would now break. Please change it to import _, which will bring in the required implicits.

    For a complete list of closed issues please refer to the milestone.