Bump com.cedarsoftware:json-io from 4.70.0 to 4.72.0

[dependabot]

Bumps com.cedarsoftware:json-io from 4.70.0 to 4.72.0.

Changelog

Sourced from com.cedarsoftware:json-io's changelog.

4.72.0 - 2025-12-31

• DEPENDENCY: Updated java-util to version 4.72.0
  • Includes fix for ThreadedLRUCacheStrategy scheduled task accumulation
  • Includes fix for Jackson dependencies incorrectly declared without <scope>test</scope>
• PERFORMANCE: JsonWriter - Eliminate redundant @type for Collection and Map elements
  • When a field is declared with generic type info (e.g., List<Person>), @type is now omitted on elements when the element class exactly matches the declared element type
  • Extends to Map keys/values when using @keys/@items format (e.g., Map<Building, Person>)
  • Produces shorter JSON output without loss of type information
  • Parser already handles type inference from context, so this is backward compatible
• PERFORMANCE: MapResolver - Optimized Maps mode from 9x slower to 4x slower than Jackson
  • Added MAP_OPTIONS_CACHE to avoid creating ReadOptionsBuilder on every toMaps() call
  • Added fastPrimitiveCoercion() for common JSON primitive to Java primitive conversions without Converter lookup
  • Added isNonReferenceableClass check before Converter lookup in traverseArray - user types are not nonRef and Converter cannot convert them
  • Added early exit for Object.class or matching types in traverseFields
  • Cache readOptions local variable in traverseArray hot loop
• PERFORMANCE: Resolver - Added early isFinished check in push() method
  • Skips pushing objects that are already fully resolved, reducing unnecessary work
• PERFORMANCE: Replaced Array reflection calls with faster ArrayUtilities methods
  • Uses optimized array operations from java-util for better performance
• FIX: ArrayFactory - Fixed converting subclass types unnecessarily
  • Added isAssignableFrom check before calling Converter
  • Only convert if value is NOT already assignable to the component type
  • Preserves subclass types in polymorphic arrays (e.g., java.sql.Date in Date[] arrays)
• ADDED: Aliases for new JDK factory types
  • AbstractMap.SimpleEntry, AbstractMap.SimpleImmutableEntry
  • ReentrantLock, ReentrantReadWriteLock
  • Semaphore, CountDownLatch

4.71.0 - 2025-12-31

• FIX: Added factories and writers for JDK classes with inaccessible private final fields on Java 9+:
  • Java 9+ module system blocks reflection access to private final fields in java.base module
  • JDK classes are not compiled with -parameters flag, so constructor parameter names are synthetic (arg0, arg1), preventing named parameter matching
  • New Factories (extract state from JsonObject, invoke constructors directly):
    • SimpleEntryFactory - Handles AbstractMap.SimpleEntry and AbstractMap.SimpleImmutableEntry
    • ReentrantLockFactory - Creates ReentrantLock with correct fairness setting
    • ReentrantReadWriteLockFactory - Creates ReentrantReadWriteLock with correct fairness setting
    • SemaphoreFactory - Creates Semaphore with permits and fairness
    • CountDownLatchFactory - Creates CountDownLatch with initial count
    • OptionalFactory - Creates Optional.empty() or Optional.of(value)
  • New Writers (serialize meaningful state instead of internal Sync fields):
    • ReentrantLockWriter - Writes fairness setting
    • ReentrantReadWriteLockWriter - Writes fairness setting
    • SemaphoreWriter - Writes available permits and fairness
    • CountDownLatchWriter - Writes current count
    • OptionalWriter - Writes value or empty marker
  • Impact: These JDK types now round-trip correctly through JSON serialization on all Java versions
  • Backward Compatible: No API changes, automatic factory/writer registration via config files
• FIX: ObjectResolver - Fixed potential NullPointerException in traverseArray() when array elements are null
  • Added null check before calling getClass() on array elements created by createInstance()
• SECURITY: ObjectResolver - Fixed bypass of security limits for unresolved references and missing fields

... (truncated)

Commits

• 174ea88 Merge remote changelog update, resolve conflict
• 4b706a0 Release 4.72.0 - Performance optimizations and bug fixes
• ca287fd Add aliases for new JDK factory types
• 9d50f1b Add concrete Map type fields to JsonPerformanceTest
• 59acf72 Fix ArrayFactory converting subclass types unnecessarily
• bf9fa03 Performance: Optimize Maps mode from 9x to 4x slower than Jackson
• 50e3902 Restore enhanced JsonPerformanceTest compatible with 4.71.0
• c5c1fd2 Add early isFinished check in Resolver.push() for performance
• b7485cf Replace Array reflection calls with faster ArrayUtilities methods
• 35f5c30 Add JsonWriter @​type elimination optimizations and update java-util to 4.71.0
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Superseded by #327.