Expected release date for 2.5.2?

[rlubke]

Project landing page states 2.5.2 was released on 2/7/2025, but I don't see a tag for the release, no release in the project, or in maven.
When can we expect a release for this?

[snhrdt]

Let us first thank @hezhangjian for taking over this project. But then, yes, please push out the release. Thank you!

[yeikel]

Latest update here #233 (comment)

[hezhangjian]

@rlubke @snhrdt I have emailed @UrielCh to push a release to maven central(needs his gpg key). Currently, I think the process is waiting for Sonatype migrate

[cricstats]

Given this is a CVE that is probably affecting many projects,is there a chance to expedite this release

[jumarko]

+1 for expediting the 2.5.2 release

[rlubke]

Thanks for taking up the torch, @hezhangjian

[ccudennec-otto]

Some remarks on the CVE:

• as mentioned here it is quite unlikely that the vulnerability is exploited if you come here because of Spring Security / com.nimbusds:oauth2-oidc-sdk
• the code changes for the upcoming release will "only" fix the default modes provided by JSONParser, e.g. MODE_RFC4627
• if you create the JSONParser manually / with custom options, make sure you set option LIMIT_JSON_DEPTH
  • since that's what "connect2id" is doing in their library, they were responsible for fixing it. They've already provided a new 11.x release that fixes the JSONParser setup on their side, i.e. you rather need their fixed version and not version 2.5.2 of json-smart
  • as stated here, they would also need to backport the fix to the versions that Spring Security needs IMHO

So I'm afraid technically "connect2id" (9.x, 10.x) and Spring Security would also be affected by this CVE - although the probability that it can be exploited seems low 🙈

@hezhangjian : Maybe we could elaborate on this in the release notes, too.

[marcelstoer]

So I'm afraid technically "connect2id" (9.x, 10.x) and Spring Security would also be affected by this CVE

As so often in software supply chain security, fixing the actual vulnerability and quieting the monitoring tools that reported it ain't the same thing.

So, if you use Spring Security:

• to fix you will need to wait for both a new connect2id 9.x release and a Spring Security release that incorporates it
• to quiet the monitoring tools you will need to wait for json-smart 2.5.2 and use that version instead of the one you get transitively through Spring Security and connect2id

[hezhangjian]

@ccudennec-otto
Thank you for your insights regarding the CVE and its implications. I appreciate the detailed feedback on how the upcoming release will address the default modes for the JSONParser.
I can put this explanation in GitHub release notes. :)

[UrielCh]

extract from sonatype response:

We suspect that your account access has been lost due to the the migration to the new auth system last year.

net.minidev recovery in progress...

[yeikel]

extract from sonatype response:

We suspect that your account access has been lost due to the the migration to the new auth system last year.

net.minidev recovery in progress...

Thank you for the quick turnaround

[cricstats]

Any update on when a new version can be released .

[drriguz]

looking forward to this release :p

[UrielCh]

Access to the sonatype recover.

release pulished at 5:30 am local time 😫

[siladu]

It is correct that 2.5.2 is supposed to be the only version specified in https://repo.maven.apache.org/maven2/net/minidev/json-smart/maven-metadata.xml

This is breaking some upstream dependencies, namely oauth2-oidc-sdk which has this in it's POM:

<dependency>
    <groupId>net.minidev</groupId>
    <artifactId>json-smart</artifactId>
    <version>[1.3.2,2.4.2]</version>
</dependency>

transitive via io.kubernetes:client-java

./gradlew dependencyInsight --configuration=runtimeClasspath --dependency=json-smart

> Configure project :
Generating project version as supplied is version not semver: unspecified

> Task :dependencyInsight
net.minidev:json-smart:[1.3.2,2.4.2] FAILED
   Failures:
      - Could not find any version that matches net.minidev:json-smart:[1.3.2,2.4.2].
        Versions that do not match: 2.5.2
        Searched in the following locations:
          - https://repo.maven.apache.org/maven2/net/minidev/json-smart/maven-metadata.xml

net.minidev:json-smart:[1.3.2,2.4.2] FAILED
\--- com.nimbusds:oauth2-oidc-sdk:9.4
     \--- com.microsoft.azure:adal4j:1.6.7
          \--- io.kubernetes:client-java:21.0.1-legacy
               +--- project :nat (requested io.kubernetes:client-java)

[jameshiggie]

I am also experiencing this

This is breaking some upstream dependencies, namely oauth2-oidc-sdk which has this in it's POM:

<dependency>
    <groupId>net.minidev</groupId>
    <artifactId>json-smart</artifactId>
    <version>[1.3.2,2.4.2]</version>
</dependency>

transitive via io.kubernetes:client-java

./gradlew dependencyInsight --configuration=runtimeClasspath --dependency=json-smart

> Configure project :
Generating project version as supplied is version not semver: unspecified

> Task :dependencyInsight
net.minidev:json-smart:[1.3.2,2.4.2] FAILED
   Failures:
      - Could not find any version that matches net.minidev:json-smart:[1.3.2,2.4.2].
        Versions that do not match: 2.5.2
        Searched in the following locations:
          - https://repo.maven.apache.org/maven2/net/minidev/json-smart/maven-metadata.xml

net.minidev:json-smart:[1.3.2,2.4.2] FAILED
\--- com.nimbusds:oauth2-oidc-sdk:9.4
     \--- com.microsoft.azure:adal4j:1.6.7
          \--- io.kubernetes:client-java:21.0.1-legacy
               +--- project :nat (requested io.kubernetes:client-java)

[hezhangjian]

closed by released, versions can be discussed in #240