Consider making Jackson an optional non-shaded dependency #3034
Description
🤔 What's the problem you're trying to solve?
Cucumber uses Jackson to serialize data into Json. This is used by the html, json, message and usage plugins.
To avoid interfering with the dependencies of the system under test we shade Jackson into cucumber-core. This has not been without issue (#2786, #2620) but for now it seems to be stable.
However it also means that when Jackson gets a critical security upgrade Cucumber also has to upgrade. And until Cucumber does, end users can not upgrade Jackson independently from Cucumber. This is less than ideal as it increases the overall response time to incidents.
Further more it complicates the licensing status of cucumber-core distribution which is now partially MIT and partially Apache 2.0 licensed. Fortunately both are OSI approved licenses so in practice it won't matter too much.
✨ What's your proposed solution?
Make jackson-databind and jackson-datatype-jdk8 optional, non-shaded dependencies. Wrap the creation of the object mapper in a try-catch that provides an explanatory message informing the users about the dependencies to add should they be missing. Additionally there should be a try catch in case the configuration of the object mapper fails with a prompt to create an issue (or upgrade/downgrade jackson)
This mechanism could then also be extended to support Gson. Allowing Cucumber to use what tools happen to be available (think Spring auto-configuration).
⛏ Have you considered any alternatives or workarounds?
Instead of writing our own code, we could use the JSR 353 jsonb-api. Though there is only one supporting implementation, neither Jackson nor Gson support it at the moment - nor do they seem to be involved in the project.
📚 Any additional context?
Jackson 3.0 is scheduled for Q3 2025 . It would make sense to hold off on this feature until at least Spring has removed Jackson 2 from its supported versions.