I opened a new PR to upgrade the json-lib dependency used by GeoServer to newest 3.2.0-limit-fix version:
The objetive is to update old commons dependencies from the old json-lib 2.x custom version, that is not currently supported and is not receiving updates. Also to take advantages of latest hardening and bugfixes.
This custom version contains several aditions in order to be compatible with the needs of GeoServer including some backward compatibility features with json-lib 2.x required to remain compatible and passing the tests.
Some of the feautres added on top of vanilla json-lib 3.2.0 are:
Makes JSON nesting depth configurable (instead of hardcoded 20).
Sets default max depth to 100 (backward-compatible with GeoServer expectations).
Adds upper bound clamp to avoid OOM from very large json.maxDepth values.
Preserves legacy single-quoted string normalization behavior on programmatic APIs.
Preserves legacy number coercion behavior in numeric parsing.
Updates commons-lang3 dependency to 3.18.0.
Since this new GeoServer custom version is allocated on GeoSolutions github repo and currently only published on GeoSolutions maven repo, we need to publish the artifacts into the OSGeo maven repository, in the same way the previous json-lib 2.x custom version was done.
Hence, I am once again asking for your support and permission to:
Publish the artifacts into OSGeo Maven repo server.
And then, merge the version upgrade PR after the validation jobs pass.
Please let me know any doubt, clarification, argument or hint, and thanks in advance for your kind guidance in this topic.