You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@jena.apache.org by Jean-Marc Vanel <je...@gmail.com> on 2020/12/11 16:26:10 UTC

Update Jena from 3.16 to 3.17 : problem with Jackson, diverging version in another software

I use latest Play Framework 2.8.5 with Scala (my project is
https://github.com/jmvanel/semantic_forms). I try to upgrade my Jena
dependency from 3.16.0 to 3.17.0 .
I get this message when running:
[error] com.fasterxml.jackson.databind.JsonMappingException: *Scala module
2.10.4 requires Jackson Databind version >= 2.10.0 and < 2.11.0.*
Indeed Jena requires jackson-databind 2.11.3 , while Play is at 2.10.4 . I
tried  to add exclude("com.fasterxml.jackson.core", "jackson-databind" ) in
build.sbt to all Jena dependencies, but no result :( .
I added on Jena all the exclusions for each jackson dependency , even
transitive , but problem is still here :

exclude("com.fasterxml.jackson.core", "jackson-core" )
exclude("com.fasterxml.jackson.core", "jackson-databind" )
exclude("com.fasterxml.jackson.core", "jackson-annotations")
exclude("com.fasterxml.jackson.datatype", "jackson-datatype" )
exclude("com.fasterxml.jackson.datatype", "jackson-datatypejsr310")
exclude("com.fasterxml.jackson.datatype", "jackson-datatype-jdk8")
exclude("com.fasterxml.jackson.module", "jackson-module-parameter-names")
exclude("com.fasterxml.jackson.module", "jackson-module-scala")
exclude("com.fasterxml.jackson.module", "jackson-module-paranamer")

I have  verified which artifacts are resolved by the build tool, by
dependencyTree .
The Jena requirements of the latest jenaVersion = "3.17.0" is
:jackson-databind:2.11.3, which brings jackson-annotations and jackson-core
.

Running show playDependencyClasspath , I get :
[info] * Attributed(/home/jmv/.cache/coursier/v1/https/
repo1.maven.org/maven2/com/fasterxml/jackson/core/jackson-core/2.11.3/jackson-core-2.11.3.jar
)
[info] * Attributed(/home/jmv/.cache/coursier/v1/https/
repo1.maven.org/maven2/com/fasterxml/jackson/core/jackson-annotations/2.11.3/jackson-annotations-2.11.3.jar
)
[info] * Attributed(/home/jmv/.cache/coursier/v1/https/
repo1.maven.org/maven2/com/fasterxml/jackson/datatype/jackson-datatype-jdk8/2.10.4/jackson-datatype-jdk8-2.10.4.jar
)
[info] * Attributed(/home/jmv/.cache/coursier/v1/https/
repo1.maven.org/maven2/com/fasterxml/jackson/datatype/jackson-datatype-jsr310/2.10.4/jackson-datatype-jsr310-2.10.4.jar
)
[info] * Attributed(/home/jmv/.cache/coursier/v1/https/
repo1.maven.org/maven2/com/fasterxml/jackson/core/jackson-databind/2.11.3/jackson-databind-2.11.3.jar
)

I hoped to drop the Jackson Jena dependencies, and depend only on
Jackson 2.10.4 like Play, but that 's not the case...

Jean-Marc Vanel
<http://semantic-forms.cc:1952/display?displayuri=http://jmvanel.free.fr/jmv.rdf%23me>
+33 (0)6 89 16 29 52
Twitter: @jmvanel , @jmvanel_fr ; chat: irc://irc.freenode.net#eulergui
 Chroniques jardin
<http://semantic-forms.cc:1952/history?uri=http%3A%2F%2Fdbpedia.org%2Fresource%2FChronicle>

Re: Update Jena from 3.16 to 3.17 : problem with Jackson, diverging version in another software

Posted by Jean-Marc Vanel <je...@gmail.com>.

With a little help from stackoverflow , I fixed that. I had forgotten the
indirect dependency in Banana-RDF <https://github.com/banana-rdf/banana-rdf>,
on which I applied the same exclusion as Jena itself:
exclude("com.fasterxml.jackson.core", "jackson-databind")

cf
https://github.com/jmvanel/semantic_forms/blob/master/scala/project/Common.scala#L17

Jean-Marc Vanel
<http://semantic-forms.cc:9112/display?displayuri=http://jmvanel.free.fr/jmv.rdf%23me>
+33
(0)6 89 16 29 52


Le mar. 15 déc. 2020 à 09:36, Jean-Marc Vanel <je...@gmail.com> a
écrit :

> I feel that I'm cornered with this problem; so I threw a bottle in the sea:
>
> https://stackoverflow.com/questions/65302371/playframework-cannot-override-sbt-dependency
> but my forecast is that I will stay at Jena 3.16 until Play Framework
> updates its Jackson dependencies .
>
> Or someday I will quit Play Framework in favor of Akka, which is anyway
> the underlying server of Play Framework.
> I use very little of Play Framework; my XHTML templates are in plain Scala
> XML.
>
> Jean-Marc Vanel
> <http://semantic-forms.cc:9112/display?displayuri=http://jmvanel.free.fr/jmv.rdf%23me> +33
> (0)6 89 16 29 52
>
>
> Le lun. 14 déc. 2020 à 19:23, Jean-Marc Vanel <je...@gmail.com>
> a écrit :
>
>> The exclude declarations looked in fact OK,
>> because the jar for jackson-databind is (like jackson-core) in folder
>> com.fasterxml.jackson.core , which is being excluded, e.g. in :
>>
>>   val jenaTextDependency = "org.apache.jena" % "jena-text" % jenaVersion
>> excludeAll(
>>     ExclusionRule(organization = "*com.fasterxml.jackson.core*" ) ,
>>     ExclusionRule(organization = "com.fasterxml.jackson.datatype" ) ,
>>     ExclusionRule(organization = "com.fasterxml.jackson.module" )
>>
>> After that I tried a more radical SBT exclusion rule, excluding jackson
>> transitively through all application modules:
>>
>> *excludeDependencies* ++= Seq(
>>   ExclusionRule("com.fasterxml.jackson.core" ),
>>   ExclusionRule(organization = "com.fasterxml.jackson.datatype" ) ,
>>   ExclusionRule(organization = "com.fasterxml.jackson.module" )
>> )
>>
>> which excludes everything under "com.fasterxml.jackson.*" for all
>> dependencies :
>>
>> https://github.com/jmvanel/semantic_forms/blob/master/scala/project/Common.scala#L20
>>
>> NOTE: the exception is thrown by Akka : akka % akka-serialization-jackson
>>
>>     [error] com.fasterxml.jackson.databind.JsonMappingException: Scala
>> module 2.10.4 requires Jackson Databind version >= 2.10.0 and < 2.11.0
>>     [error]         at
>> com.fasterxml.jackson.module.scala.JacksonModule.setupModule(JacksonModule.scala:61)
>>     [error]         at
>> com.fasterxml.jackson.module.scala.JacksonModule.setupModule$(JacksonModule.scala:46)
>>     [error]         at
>> com.fasterxml.jackson.module.scala.DefaultScalaModule.setupModule(DefaultScalaModule.scala:17)
>>     [error]         at
>> com.fasterxml.jackson.databind.ObjectMapper.registerModule(ObjectMapper.java:819)
>>     [error]         at
>> akka.serialization.jackson.JacksonObjectMapperProvider$.$anonfun$configureObjectMapperModules$4(JacksonObjectMapperProvider.scala:223)
>>     [error]         at
>> akka.serialization.jackson.JacksonObjectMapperProvider$.$anonfun$configureObjectMapperModules$4$adapted(JacksonObjectMapperProvider.scala:222)
>>     [error]         at
>> scala.collection.immutable.List.foreach(List.scala:431)
>>     [error]         at akka.
>> *serialization.jackson.JacksonObjectMapperProvider*
>> $.configureObjectMapperModules(JacksonObjectMapperProvider.scala:222)
>>     ...
>>     [error]         at
>> akka.actor.ActorSystem$.apply(ActorSystem.scala:290)
>>     [error]         at play.core.server.*DevServerStart*
>> $.$anonfun$mainDev$1(DevServerStart.scala:248)
>>     [error]         at
>> play.utils.Threads$.withContextClassLoader(Threads.scala:22)
>>     [error]         at
>> play.core.server.DevServerStart$.mainDev(DevServerStart.scala:76)
>>
>>
>> I guess I will ask to Play community ...
>>
>> Jean-Marc Vanel
>> <http://semantic-forms.cc:9112/display?displayuri=http://jmvanel.free.fr/jmv.rdf%23me> +33
>> (0)6 89 16 29 52
>>
>>
>> Le lun. 14 déc. 2020 à 15:36, Andy Seaborne <an...@apache.org> a écrit :
>>
>>>
>>>
>>> On 14/12/2020 13:12, Jean-Marc Vanel wrote:
>>> > A found a cleaner way with SBT build engine to exclude all Jackson
>>> stuff
>>> > coming from Jena :
>>> >
>>> https://github.com/jmvanel/semantic_forms/blob/2b5bfb31a47376f86cfbb7f2820be1dbeada1a8b/scala/project/Common.scala#L21
>>> >
>>> > But this does not fix the problem "JsonMappingException: Scala module
>>> > 2.10.4 requires Jackson Databind version >= 2.10.0 and < 2.11.0 " .
>>>
>>> databind != datatype
>>>
>>> Jena includes:
>>> com.fasterxml.jackson.core:jackson-core:jar:2.12.0:compile
>>> com.fasterxml.jackson.core:jackson-databind:jar:2.12.0:compile
>>>
>>> >
>>> > I failed to find other dependencies that would bring Jackson 2.11.3 .
>>> > So either the SBT exclusion attempt does not work, or there is some
>>> other
>>> > dependency bringing Jackson 2.11.3  ( Akka ? ) .
>>> >
>>> > Jean-Marc Vanel
>>> > <
>>> http://semantic-forms.cc:9112/display?displayuri=http://jmvanel.free.fr/jmv.rdf%23me
>>> >
>>> > +33
>>> > (0)6 89 16 29 52
>>> >
>>> >
>>> > Le sam. 12 déc. 2020 à 15:16, Andy Seaborne <an...@apache.org> a écrit
>>> :
>>> >
>>> >>
>>> >>
>>> >> On 11/12/2020 16:26, Jean-Marc Vanel wrote:
>>> >>> I use latest Play Framework 2.8.5 with Scala (my project is
>>> >>> https://github.com/jmvanel/semantic_forms). I try to upgrade my Jena
>>> >>> dependency from 3.16.0 to 3.17.0 .
>>> >>> I get this message when running:
>>> >>> [error] com.fasterxml.jackson.databind.JsonMappingException: *Scala
>>> >> module
>>> >>> 2.10.4 requires Jackson Databind version >= 2.10.0 and < 2.11.0.*
>>> >>> Indeed Jena requires jackson-databind 2.11.3 , while Play is at
>>> 2.10.4 .
>>> >> I
>>> >>> tried  to add exclude("com.fasterxml.jackson.core",
>>> "jackson-databind" )
>>> >> in
>>> >>> build.sbt to all Jena dependencies, but no result :( .
>>> >>
>>> >> Try excluding all com.fasterxml.jackson from the Jena dependency
>>> >> declaration recursively.
>>> >>
>>> >> Jena would also get jackson from jsonld-java but excludes it.
>>> >>
>>> >> jsonld-java/0.13.2 currently at Jackson 2.11.x
>>> >>
>>> >> Jackson had a number of CVEs so taking control of the dependency in
>>> Jena
>>> >> meant Jena could release specifying fixed versions.
>>> >>
>>> >> Jena should work with 2.10.*  For the jsonld-java usage, there wasn't
>>> a
>>> >> breaking change.
>>> >>
>>> >> 2.11.* has an architecture change than makes the 2.10.* CVE issues go
>>> >> away by design.
>>> >>
>>> >> 2.12.x isn't a breaking change either for the usage made of it
>>> >> (according to the test suite).
>>> >>
>>> >> Of course, jackson is used by many libraries so it could be picked up
>>> by
>>> >> several paths.
>>> >>
>>> >>       Andy
>>> >>
>>> >>> I added on Jena all the exclusions for each jackson dependency , even
>>> >>> transitive , but problem is still here :
>>> >>>
>>> >>> exclude("com.fasterxml.jackson.core", "jackson-core" )
>>> >>> exclude("com.fasterxml.jackson.core", "jackson-databind" )
>>> >>> exclude("com.fasterxml.jackson.core", "jackson-annotations")
>>> >>> exclude("com.fasterxml.jackson.datatype", "jackson-datatype" )
>>> >>> exclude("com.fasterxml.jackson.datatype", "jackson-datatypejsr310")
>>> >>> exclude("com.fasterxml.jackson.datatype", "jackson-datatype-jdk8")
>>> >>> exclude("com.fasterxml.jackson.module",
>>> "jackson-module-parameter-names")
>>> >>> exclude("com.fasterxml.jackson.module", "jackson-module-scala")
>>> >>> exclude("com.fasterxml.jackson.module", "jackson-module-paranamer")
>>> >>>
>>> >>> I have  verified which artifacts are resolved by the build tool, by
>>> >>> dependencyTree .
>>> >>> The Jena requirements of the latest jenaVersion = "3.17.0" is
>>> >>> :jackson-databind:2.11.3, which brings jackson-annotations and
>>> >> jackson-core
>>> >>> .
>>> >>>
>>> >>> Running show playDependencyClasspath , I get :
>>> >>> [info] * Attributed(/home/jmv/.cache/coursier/v1/https/
>>> >>>
>>> >>
>>> repo1.maven.org/maven2/com/fasterxml/jackson/core/jackson-core/2.11.3/jackson-core-2.11.3.jar
>>> >>> )
>>> >>> [info] * Attributed(/home/jmv/.cache/coursier/v1/https/
>>> >>>
>>> >>
>>> repo1.maven.org/maven2/com/fasterxml/jackson/core/jackson-annotations/2.11.3/jackson-annotations-2.11.3.jar
>>> >>> )
>>> >>> [info] * Attributed(/home/jmv/.cache/coursier/v1/https/
>>> >>>
>>> >>
>>> repo1.maven.org/maven2/com/fasterxml/jackson/datatype/jackson-datatype-jdk8/2.10.4/jackson-datatype-jdk8-2.10.4.jar
>>> >>> )
>>> >>> [info] * Attributed(/home/jmv/.cache/coursier/v1/https/
>>> >>>
>>> >>
>>> repo1.maven.org/maven2/com/fasterxml/jackson/datatype/jackson-datatype-jsr310/2.10.4/jackson-datatype-jsr310-2.10.4.jar
>>> >>> )
>>> >>> [info] * Attributed(/home/jmv/.cache/coursier/v1/https/
>>> >>>
>>> >>
>>> repo1.maven.org/maven2/com/fasterxml/jackson/core/jackson-databind/2.11.3/jackson-databind-2.11.3.jar
>>> >>> )
>>> >>>
>>> >>> I hoped to drop the Jackson Jena dependencies, and depend only on
>>> >>> Jackson 2.10.4 like Play, but that 's not the case...
>>> >>>
>>> >>> Jean-Marc Vanel
>>> >>> <
>>> >>
>>> http://semantic-forms.cc:1952/display?displayuri=http://jmvanel.free.fr/jmv.rdf%23me
>>> >>>
>>> >>> +33 (0)6 89 16 29 52
>>> >>> Twitter: @jmvanel , @jmvanel_fr ; chat: irc://
>>> irc.freenode.net#eulergui
>>> >>>    Chroniques jardin
>>> >>> <
>>> >>
>>> http://semantic-forms.cc:1952/history?uri=http%3A%2F%2Fdbpedia.org%2Fresource%2FChronicle
>>> >>>
>>> >>>
>>> >>
>>> >
>>>
>>

Re: Update Jena from 3.16 to 3.17 : problem with Jackson, diverging version in another software

Posted by Jean-Marc Vanel <je...@gmail.com>.

I feel that I'm cornered with this problem; so I threw a bottle in the sea:
https://stackoverflow.com/questions/65302371/playframework-cannot-override-sbt-dependency
but my forecast is that I will stay at Jena 3.16 until Play Framework
updates its Jackson dependencies .

Or someday I will quit Play Framework in favor of Akka, which is anyway the
underlying server of Play Framework.
I use very little of Play Framework; my XHTML templates are in plain Scala
XML.

Jean-Marc Vanel
<http://semantic-forms.cc:9112/display?displayuri=http://jmvanel.free.fr/jmv.rdf%23me>
+33
(0)6 89 16 29 52


Le lun. 14 déc. 2020 à 19:23, Jean-Marc Vanel <je...@gmail.com> a
écrit :

> The exclude declarations looked in fact OK,
> because the jar for jackson-databind is (like jackson-core) in folder
> com.fasterxml.jackson.core , which is being excluded, e.g. in :
>
>   val jenaTextDependency = "org.apache.jena" % "jena-text" % jenaVersion
> excludeAll(
>     ExclusionRule(organization = "*com.fasterxml.jackson.core*" ) ,
>     ExclusionRule(organization = "com.fasterxml.jackson.datatype" ) ,
>     ExclusionRule(organization = "com.fasterxml.jackson.module" )
>
> After that I tried a more radical SBT exclusion rule, excluding jackson
> transitively through all application modules:
>
> *excludeDependencies* ++= Seq(
>   ExclusionRule("com.fasterxml.jackson.core" ),
>   ExclusionRule(organization = "com.fasterxml.jackson.datatype" ) ,
>   ExclusionRule(organization = "com.fasterxml.jackson.module" )
> )
>
> which excludes everything under "com.fasterxml.jackson.*" for all
> dependencies :
>
> https://github.com/jmvanel/semantic_forms/blob/master/scala/project/Common.scala#L20
>
> NOTE: the exception is thrown by Akka : akka % akka-serialization-jackson
>
>     [error] com.fasterxml.jackson.databind.JsonMappingException: Scala
> module 2.10.4 requires Jackson Databind version >= 2.10.0 and < 2.11.0
>     [error]         at
> com.fasterxml.jackson.module.scala.JacksonModule.setupModule(JacksonModule.scala:61)
>     [error]         at
> com.fasterxml.jackson.module.scala.JacksonModule.setupModule$(JacksonModule.scala:46)
>     [error]         at
> com.fasterxml.jackson.module.scala.DefaultScalaModule.setupModule(DefaultScalaModule.scala:17)
>     [error]         at
> com.fasterxml.jackson.databind.ObjectMapper.registerModule(ObjectMapper.java:819)
>     [error]         at
> akka.serialization.jackson.JacksonObjectMapperProvider$.$anonfun$configureObjectMapperModules$4(JacksonObjectMapperProvider.scala:223)
>     [error]         at
> akka.serialization.jackson.JacksonObjectMapperProvider$.$anonfun$configureObjectMapperModules$4$adapted(JacksonObjectMapperProvider.scala:222)
>     [error]         at
> scala.collection.immutable.List.foreach(List.scala:431)
>     [error]         at akka.
> *serialization.jackson.JacksonObjectMapperProvider*
> $.configureObjectMapperModules(JacksonObjectMapperProvider.scala:222)
>     ...
>     [error]         at akka.actor.ActorSystem$.apply(ActorSystem.scala:290)
>     [error]         at play.core.server.*DevServerStart*
> $.$anonfun$mainDev$1(DevServerStart.scala:248)
>     [error]         at
> play.utils.Threads$.withContextClassLoader(Threads.scala:22)
>     [error]         at
> play.core.server.DevServerStart$.mainDev(DevServerStart.scala:76)
>
>
> I guess I will ask to Play community ...
>
> Jean-Marc Vanel
> <http://semantic-forms.cc:9112/display?displayuri=http://jmvanel.free.fr/jmv.rdf%23me> +33
> (0)6 89 16 29 52
>
>
> Le lun. 14 déc. 2020 à 15:36, Andy Seaborne <an...@apache.org> a écrit :
>
>>
>>
>> On 14/12/2020 13:12, Jean-Marc Vanel wrote:
>> > A found a cleaner way with SBT build engine to exclude all Jackson stuff
>> > coming from Jena :
>> >
>> https://github.com/jmvanel/semantic_forms/blob/2b5bfb31a47376f86cfbb7f2820be1dbeada1a8b/scala/project/Common.scala#L21
>> >
>> > But this does not fix the problem "JsonMappingException: Scala module
>> > 2.10.4 requires Jackson Databind version >= 2.10.0 and < 2.11.0 " .
>>
>> databind != datatype
>>
>> Jena includes:
>> com.fasterxml.jackson.core:jackson-core:jar:2.12.0:compile
>> com.fasterxml.jackson.core:jackson-databind:jar:2.12.0:compile
>>
>> >
>> > I failed to find other dependencies that would bring Jackson 2.11.3 .
>> > So either the SBT exclusion attempt does not work, or there is some
>> other
>> > dependency bringing Jackson 2.11.3  ( Akka ? ) .
>> >
>> > Jean-Marc Vanel
>> > <
>> http://semantic-forms.cc:9112/display?displayuri=http://jmvanel.free.fr/jmv.rdf%23me
>> >
>> > +33
>> > (0)6 89 16 29 52
>> >
>> >
>> > Le sam. 12 déc. 2020 à 15:16, Andy Seaborne <an...@apache.org> a écrit :
>> >
>> >>
>> >>
>> >> On 11/12/2020 16:26, Jean-Marc Vanel wrote:
>> >>> I use latest Play Framework 2.8.5 with Scala (my project is
>> >>> https://github.com/jmvanel/semantic_forms). I try to upgrade my Jena
>> >>> dependency from 3.16.0 to 3.17.0 .
>> >>> I get this message when running:
>> >>> [error] com.fasterxml.jackson.databind.JsonMappingException: *Scala
>> >> module
>> >>> 2.10.4 requires Jackson Databind version >= 2.10.0 and < 2.11.0.*
>> >>> Indeed Jena requires jackson-databind 2.11.3 , while Play is at
>> 2.10.4 .
>> >> I
>> >>> tried  to add exclude("com.fasterxml.jackson.core",
>> "jackson-databind" )
>> >> in
>> >>> build.sbt to all Jena dependencies, but no result :( .
>> >>
>> >> Try excluding all com.fasterxml.jackson from the Jena dependency
>> >> declaration recursively.
>> >>
>> >> Jena would also get jackson from jsonld-java but excludes it.
>> >>
>> >> jsonld-java/0.13.2 currently at Jackson 2.11.x
>> >>
>> >> Jackson had a number of CVEs so taking control of the dependency in
>> Jena
>> >> meant Jena could release specifying fixed versions.
>> >>
>> >> Jena should work with 2.10.*  For the jsonld-java usage, there wasn't a
>> >> breaking change.
>> >>
>> >> 2.11.* has an architecture change than makes the 2.10.* CVE issues go
>> >> away by design.
>> >>
>> >> 2.12.x isn't a breaking change either for the usage made of it
>> >> (according to the test suite).
>> >>
>> >> Of course, jackson is used by many libraries so it could be picked up
>> by
>> >> several paths.
>> >>
>> >>       Andy
>> >>
>> >>> I added on Jena all the exclusions for each jackson dependency , even
>> >>> transitive , but problem is still here :
>> >>>
>> >>> exclude("com.fasterxml.jackson.core", "jackson-core" )
>> >>> exclude("com.fasterxml.jackson.core", "jackson-databind" )
>> >>> exclude("com.fasterxml.jackson.core", "jackson-annotations")
>> >>> exclude("com.fasterxml.jackson.datatype", "jackson-datatype" )
>> >>> exclude("com.fasterxml.jackson.datatype", "jackson-datatypejsr310")
>> >>> exclude("com.fasterxml.jackson.datatype", "jackson-datatype-jdk8")
>> >>> exclude("com.fasterxml.jackson.module",
>> "jackson-module-parameter-names")
>> >>> exclude("com.fasterxml.jackson.module", "jackson-module-scala")
>> >>> exclude("com.fasterxml.jackson.module", "jackson-module-paranamer")
>> >>>
>> >>> I have  verified which artifacts are resolved by the build tool, by
>> >>> dependencyTree .
>> >>> The Jena requirements of the latest jenaVersion = "3.17.0" is
>> >>> :jackson-databind:2.11.3, which brings jackson-annotations and
>> >> jackson-core
>> >>> .
>> >>>
>> >>> Running show playDependencyClasspath , I get :
>> >>> [info] * Attributed(/home/jmv/.cache/coursier/v1/https/
>> >>>
>> >>
>> repo1.maven.org/maven2/com/fasterxml/jackson/core/jackson-core/2.11.3/jackson-core-2.11.3.jar
>> >>> )
>> >>> [info] * Attributed(/home/jmv/.cache/coursier/v1/https/
>> >>>
>> >>
>> repo1.maven.org/maven2/com/fasterxml/jackson/core/jackson-annotations/2.11.3/jackson-annotations-2.11.3.jar
>> >>> )
>> >>> [info] * Attributed(/home/jmv/.cache/coursier/v1/https/
>> >>>
>> >>
>> repo1.maven.org/maven2/com/fasterxml/jackson/datatype/jackson-datatype-jdk8/2.10.4/jackson-datatype-jdk8-2.10.4.jar
>> >>> )
>> >>> [info] * Attributed(/home/jmv/.cache/coursier/v1/https/
>> >>>
>> >>
>> repo1.maven.org/maven2/com/fasterxml/jackson/datatype/jackson-datatype-jsr310/2.10.4/jackson-datatype-jsr310-2.10.4.jar
>> >>> )
>> >>> [info] * Attributed(/home/jmv/.cache/coursier/v1/https/
>> >>>
>> >>
>> repo1.maven.org/maven2/com/fasterxml/jackson/core/jackson-databind/2.11.3/jackson-databind-2.11.3.jar
>> >>> )
>> >>>
>> >>> I hoped to drop the Jackson Jena dependencies, and depend only on
>> >>> Jackson 2.10.4 like Play, but that 's not the case...
>> >>>
>> >>> Jean-Marc Vanel
>> >>> <
>> >>
>> http://semantic-forms.cc:1952/display?displayuri=http://jmvanel.free.fr/jmv.rdf%23me
>> >>>
>> >>> +33 (0)6 89 16 29 52
>> >>> Twitter: @jmvanel , @jmvanel_fr ; chat: irc://
>> irc.freenode.net#eulergui
>> >>>    Chroniques jardin
>> >>> <
>> >>
>> http://semantic-forms.cc:1952/history?uri=http%3A%2F%2Fdbpedia.org%2Fresource%2FChronicle
>> >>>
>> >>>
>> >>
>> >
>>
>

Re: Update Jena from 3.16 to 3.17 : problem with Jackson, diverging version in another software

Posted by Jean-Marc Vanel <je...@gmail.com>.

A found a cleaner way with SBT build engine to exclude all Jackson stuff
coming from Jena :
https://github.com/jmvanel/semantic_forms/blob/2b5bfb31a47376f86cfbb7f2820be1dbeada1a8b/scala/project/Common.scala#L21

But this does not fix the problem "JsonMappingException: Scala module
2.10.4 requires Jackson Databind version >= 2.10.0 and < 2.11.0 " .

I failed to find other dependencies that would bring Jackson 2.11.3 .
So either the SBT exclusion attempt does not work, or there is some other
dependency bringing Jackson 2.11.3  ( Akka ? ) .

Jean-Marc Vanel
<http://semantic-forms.cc:9112/display?displayuri=http://jmvanel.free.fr/jmv.rdf%23me>
+33
(0)6 89 16 29 52


Le sam. 12 déc. 2020 à 15:16, Andy Seaborne <an...@apache.org> a écrit :

>
>
> On 11/12/2020 16:26, Jean-Marc Vanel wrote:
> > I use latest Play Framework 2.8.5 with Scala (my project is
> > https://github.com/jmvanel/semantic_forms). I try to upgrade my Jena
> > dependency from 3.16.0 to 3.17.0 .
> > I get this message when running:
> > [error] com.fasterxml.jackson.databind.JsonMappingException: *Scala
> module
> > 2.10.4 requires Jackson Databind version >= 2.10.0 and < 2.11.0.*
> > Indeed Jena requires jackson-databind 2.11.3 , while Play is at 2.10.4 .
> I
> > tried  to add exclude("com.fasterxml.jackson.core", "jackson-databind" )
> in
> > build.sbt to all Jena dependencies, but no result :( .
>
> Try excluding all com.fasterxml.jackson from the Jena dependency
> declaration recursively.
>
> Jena would also get jackson from jsonld-java but excludes it.
>
> jsonld-java/0.13.2 currently at Jackson 2.11.x
>
> Jackson had a number of CVEs so taking control of the dependency in Jena
> meant Jena could release specifying fixed versions.
>
> Jena should work with 2.10.*  For the jsonld-java usage, there wasn't a
> breaking change.
>
> 2.11.* has an architecture change than makes the 2.10.* CVE issues go
> away by design.
>
> 2.12.x isn't a breaking change either for the usage made of it
> (according to the test suite).
>
> Of course, jackson is used by many libraries so it could be picked up by
> several paths.
>
>      Andy
>
> > I added on Jena all the exclusions for each jackson dependency , even
> > transitive , but problem is still here :
> >
> > exclude("com.fasterxml.jackson.core", "jackson-core" )
> > exclude("com.fasterxml.jackson.core", "jackson-databind" )
> > exclude("com.fasterxml.jackson.core", "jackson-annotations")
> > exclude("com.fasterxml.jackson.datatype", "jackson-datatype" )
> > exclude("com.fasterxml.jackson.datatype", "jackson-datatypejsr310")
> > exclude("com.fasterxml.jackson.datatype", "jackson-datatype-jdk8")
> > exclude("com.fasterxml.jackson.module", "jackson-module-parameter-names")
> > exclude("com.fasterxml.jackson.module", "jackson-module-scala")
> > exclude("com.fasterxml.jackson.module", "jackson-module-paranamer")
> >
> > I have  verified which artifacts are resolved by the build tool, by
> > dependencyTree .
> > The Jena requirements of the latest jenaVersion = "3.17.0" is
> > :jackson-databind:2.11.3, which brings jackson-annotations and
> jackson-core
> > .
> >
> > Running show playDependencyClasspath , I get :
> > [info] * Attributed(/home/jmv/.cache/coursier/v1/https/
> >
> repo1.maven.org/maven2/com/fasterxml/jackson/core/jackson-core/2.11.3/jackson-core-2.11.3.jar
> > )
> > [info] * Attributed(/home/jmv/.cache/coursier/v1/https/
> >
> repo1.maven.org/maven2/com/fasterxml/jackson/core/jackson-annotations/2.11.3/jackson-annotations-2.11.3.jar
> > )
> > [info] * Attributed(/home/jmv/.cache/coursier/v1/https/
> >
> repo1.maven.org/maven2/com/fasterxml/jackson/datatype/jackson-datatype-jdk8/2.10.4/jackson-datatype-jdk8-2.10.4.jar
> > )
> > [info] * Attributed(/home/jmv/.cache/coursier/v1/https/
> >
> repo1.maven.org/maven2/com/fasterxml/jackson/datatype/jackson-datatype-jsr310/2.10.4/jackson-datatype-jsr310-2.10.4.jar
> > )
> > [info] * Attributed(/home/jmv/.cache/coursier/v1/https/
> >
> repo1.maven.org/maven2/com/fasterxml/jackson/core/jackson-databind/2.11.3/jackson-databind-2.11.3.jar
> > )
> >
> > I hoped to drop the Jackson Jena dependencies, and depend only on
> > Jackson 2.10.4 like Play, but that 's not the case...
> >
> > Jean-Marc Vanel
> > <
> http://semantic-forms.cc:1952/display?displayuri=http://jmvanel.free.fr/jmv.rdf%23me
> >
> > +33 (0)6 89 16 29 52
> > Twitter: @jmvanel , @jmvanel_fr ; chat: irc://irc.freenode.net#eulergui
> >   Chroniques jardin
> > <
> http://semantic-forms.cc:1952/history?uri=http%3A%2F%2Fdbpedia.org%2Fresource%2FChronicle
> >
> >
>

Re: Update Jena from 3.16 to 3.17 : problem with Jackson, diverging version in another software

Posted by Andy Seaborne <an...@apache.org>.


On 11/12/2020 16:26, Jean-Marc Vanel wrote:
> I use latest Play Framework 2.8.5 with Scala (my project is
> https://github.com/jmvanel/semantic_forms). I try to upgrade my Jena
> dependency from 3.16.0 to 3.17.0 .
> I get this message when running:
> [error] com.fasterxml.jackson.databind.JsonMappingException: *Scala module
> 2.10.4 requires Jackson Databind version >= 2.10.0 and < 2.11.0.*
> Indeed Jena requires jackson-databind 2.11.3 , while Play is at 2.10.4 . I
> tried  to add exclude("com.fasterxml.jackson.core", "jackson-databind" ) in
> build.sbt to all Jena dependencies, but no result :( .

Try excluding all com.fasterxml.jackson from the Jena dependency 
declaration recursively.

Jena would also get jackson from jsonld-java but excludes it.

jsonld-java/0.13.2 currently at Jackson 2.11.x

Jackson had a number of CVEs so taking control of the dependency in Jena 
meant Jena could release specifying fixed versions.

Jena should work with 2.10.*  For the jsonld-java usage, there wasn't a 
breaking change.

2.11.* has an architecture change than makes the 2.10.* CVE issues go 
away by design.

2.12.x isn't a breaking change either for the usage made of it 
(according to the test suite).

Of course, jackson is used by many libraries so it could be picked up by 
several paths.

     Andy

> I added on Jena all the exclusions for each jackson dependency , even
> transitive , but problem is still here :
> 
> exclude("com.fasterxml.jackson.core", "jackson-core" )
> exclude("com.fasterxml.jackson.core", "jackson-databind" )
> exclude("com.fasterxml.jackson.core", "jackson-annotations")
> exclude("com.fasterxml.jackson.datatype", "jackson-datatype" )
> exclude("com.fasterxml.jackson.datatype", "jackson-datatypejsr310")
> exclude("com.fasterxml.jackson.datatype", "jackson-datatype-jdk8")
> exclude("com.fasterxml.jackson.module", "jackson-module-parameter-names")
> exclude("com.fasterxml.jackson.module", "jackson-module-scala")
> exclude("com.fasterxml.jackson.module", "jackson-module-paranamer")
> 
> I have  verified which artifacts are resolved by the build tool, by
> dependencyTree .
> The Jena requirements of the latest jenaVersion = "3.17.0" is
> :jackson-databind:2.11.3, which brings jackson-annotations and jackson-core
> .
> 
> Running show playDependencyClasspath , I get :
> [info] * Attributed(/home/jmv/.cache/coursier/v1/https/
> repo1.maven.org/maven2/com/fasterxml/jackson/core/jackson-core/2.11.3/jackson-core-2.11.3.jar
> )
> [info] * Attributed(/home/jmv/.cache/coursier/v1/https/
> repo1.maven.org/maven2/com/fasterxml/jackson/core/jackson-annotations/2.11.3/jackson-annotations-2.11.3.jar
> )
> [info] * Attributed(/home/jmv/.cache/coursier/v1/https/
> repo1.maven.org/maven2/com/fasterxml/jackson/datatype/jackson-datatype-jdk8/2.10.4/jackson-datatype-jdk8-2.10.4.jar
> )
> [info] * Attributed(/home/jmv/.cache/coursier/v1/https/
> repo1.maven.org/maven2/com/fasterxml/jackson/datatype/jackson-datatype-jsr310/2.10.4/jackson-datatype-jsr310-2.10.4.jar
> )
> [info] * Attributed(/home/jmv/.cache/coursier/v1/https/
> repo1.maven.org/maven2/com/fasterxml/jackson/core/jackson-databind/2.11.3/jackson-databind-2.11.3.jar
> )
> 
> I hoped to drop the Jackson Jena dependencies, and depend only on
> Jackson 2.10.4 like Play, but that 's not the case...
> 
> Jean-Marc Vanel
> <http://semantic-forms.cc:1952/display?displayuri=http://jmvanel.free.fr/jmv.rdf%23me>
> +33 (0)6 89 16 29 52
> Twitter: @jmvanel , @jmvanel_fr ; chat: irc://irc.freenode.net#eulergui
>   Chroniques jardin
> <http://semantic-forms.cc:1952/history?uri=http%3A%2F%2Fdbpedia.org%2Fresource%2FChronicle>
>