OnDemand
March 27, 2026, 10:07am
1
Hi everyone,
I encountered a potential issue in Vaadin 25.1.0 :flow-server is pulling in Jackson 3.x (tools.jackson.*), but Flow still calls APIs that only exist in Jackson 2.x .
java.lang.NoSuchMethodError:
ObjectMapper.treeToValue(JsonNode, Class)
Is it possible, that the method treeToValue() no longer exists in Jackson 3 which gets fetched by vaadin 25.1.0?
Or is that a build problem? But i already removed nodes_modules and the package.json
marcoc_753
March 27, 2026, 10:21am
2
If you are using Spring Boot, make sure to update to 4.0.4 or later.
marcoc_753
March 27, 2026, 10:22am
3
1 Like
I’m curious if there is a way to keep things stable. Obviously, 25. predicated itself on SpringBoot 4.0 before it had a chance to stabilize.
Without thinking stability we finding ourselves scratching our heads what point release of what library works with what.
Maybe there is a lesson somewhere here?
marcoc_753
March 31, 2026, 6:01am
5
The Jackson bump to 3.1 in a patch release was dictated by the end of support of Jackson 2.20 and 3.0 that were affected by a vulnerability
* Jackson 2 has been upgraded to 2.21.1 in response to the Jackson team ending support for Jackson 2.20.x. [#49389](https://github.com/spring-projects/spring-boot/issues/49389)
* Jackson has been upgraded to 3.1.0 in response to the Jackson team ending support for Jackson 3.0.x. [#49383](https://github.com/spring-projects/spring-boot/issues/49383)
Some references:
opened 09:07PM - 13 Mar 26 UTC
closed 09:24PM - 13 Mar 26 UTC
status: duplicate
I was reviewing the latest `4.0.3` tagged source and comparing it to the `4.0.x`… release branch for all `4.0` releases.
In version `4.0.3` the Jackson 2 version was `2.20.2` and the Jackson 3 version was `3.0.4`. See [here](https://github.com/spring-projects/spring-boot/blob/v4.0.3/gradle.properties#L14-L15).
For the upcoming `4.0.4` release, the Jackson 2 version was upgraded to `2.21.1` and Jackson 3 was upgrade to `3.1.0`. See [here](https://github.com/spring-projects/spring-boot/blob/4.0.x/gradle.properties#L14-L15). These versions match the Jackson 2/3 versions in Spring Boot `4.1.x` as seen [here](https://github.com/spring-projects/spring-boot/blob/main/gradle.properties#L14-L15).
I don't ever recall minor version updates in patch releases (e.g. from `4.0.3` to `4.0.4`).
Was this intentional?
opened 11:21AM - 03 Mar 26 UTC
closed 02:04PM - 03 Mar 26 UTC
type: dependency-upgrade
for: upgrade-attention
Spring Boot 4.0.x includes `tools.jackson.core:jackson-core:3.0.4`, which is aff… ected by the vulnerability GHSA-72hv-8253-57qq (CVSS 8.7). This is the same async parser `maxNumberLength` bypass issue that is being addressed in Spring Boot 3.5.x via #49365.
The same pattern applies here:
- The vulnerability is fixed in `jackson-core:3.1.0` (released 2026-02-23).
- No fix has been backported to the `3.0.x` branch.
- Spring Boot 4.0.x cannot adopt the fix without a minor version upgrade.
Since the team previously decided to take the unusual but necessary step of upgrading to a new Jackson minor version in a 3.5.x patch release to address this vulnerability (#49365), would it be possible and appropriate to do the same for 4.0.x?
https://nvd.nist.gov/vuln/detail/CVE-2026-29062
OnDemand
March 31, 2026, 10:52am
6
Soo vaadin 25.1.1 and Spring Boot Starter Parent 4.0.5 is a working combi? At least it starts and seems to work :)
marcoc_753
March 31, 2026, 12:07pm
7
All Vaadin 25.x / Spring Boot 4.0.4+ combinations should work.
EDIT: for Vaadin 25.0 better use Vaadin 25.0.8 to make sure there are no incompatibilitites