Skip to content

Update fastjson v1 1.2.83 to fastjson v2 2.0.61 (latest)#1424

Open
ar249 wants to merge 1 commit into
sofastack:masterfrom
ar249:fix/update-fastjson-version
Open

Update fastjson v1 1.2.83 to fastjson v2 2.0.61 (latest)#1424
ar249 wants to merge 1 commit into
sofastack:masterfrom
ar249:fix/update-fastjson-version

Conversation

@ar249
Copy link
Copy Markdown

@ar249 ar249 commented May 4, 2026
edited
Loading

Problem

mvn dependency:tree revealed the following issues with fastjson dependencies:

  • fastjson v1 (com.alibaba:fastjson:1.2.83) was explicitly declared
    as a direct dependency in pom.xml — fastjson v1 has known critical
    CVEs (RCE, deserialization vulnerabilities) and has been superseded by
    fastjson2
  • Version conflict between fastjson2:2.0.23 and fastjson2:2.0.61
    being pulled transitively
  • Legacy fastjson v1 (com.alibaba:fastjson) being pulled as a
    transitive dependency unnecessarily

Changes

  • Pinned fastjson2 to 2.0.61 in dependencyManagement to enforce
    consistent version across all transitive dependencies
  • Excluded legacy fastjson v1 transitive dependency from rocketmq-spring-boot-starter & dubbo

Verification

mvn dependency:tree | grep fastjson

All references now consistently resolve to 2.0.61 with no legacy
fastjson v1 present.

Before

image

After

image

@sofastack-cla
Copy link
Copy Markdown

sofastack-cla Bot commented May 4, 2026

Hi @ar249, welcome to SOFAStack community, Please sign Contributor License Agreement!

After you signed CLA, we will automatically sync the status of this pull request in 3 minutes.

@ar249
Update fastjson v1 from 1.2.83 to fastjson v2 2.0.61 and exclude tran…
7beb53f 
…sitive fastjson v1 dependency.

Fixes sofastackgh-1399

Signed-off-by: Arindam Singh <96876969+ar249@users.noreply.github.com>
@ar249 ar249 force-pushed the fix/update-fastjson-version branch from 3e353dd to 7beb53f Compare May 4, 2026 11:02
@sofastack-cla sofastack-cla Bot added cla:yes and removed cla:no labels May 4, 2026
@ar249 ar249 mentioned this pull request May 4, 2026
Open
@ar249 ar249 closed this May 5, 2026
@ar249 ar249 deleted the fix/update-fastjson-version branch May 5, 2026 03:56
@ar249 ar249 restored the fix/update-fastjson-version branch May 5, 2026 03:56
@ar249 ar249 reopened this May 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

cla:yes First-time contributor size/S

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Security] Upgrade Fastjson to 2.x

1 participant

@ar249