If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/alibaba/fastjson shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

GO — Healthy across all four use cases

• 17 active contributors
• Apache-2.0 licensed
• CI configured
• Tests present
• ⚠ Stale — last commit 2y ago
• ⚠ Concentrated ownership — top contributor handles 75% of recent commits

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live alibaba/fastjson repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/alibaba/fastjson.

What it runs against: a local clone of alibaba/fastjson — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in alibaba/fastjson | Confirms the artifact applies here, not a fork | | 2 | License is still Apache-2.0 | Catches relicense before you depend on it | | 3 | Default branch master exists | Catches branch renames | | 4 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 5 | Last commit ≤ 691 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of alibaba/fastjson. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/alibaba/fastjson.git
#   cd fastjson
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of alibaba/fastjson and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "alibaba/fastjson(\\.git)?\\b" \\
  && ok "origin remote is alibaba/fastjson" \\
  || miss "origin remote is not alibaba/fastjson (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(Apache-2\\.0)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"Apache-2\\.0\"" package.json 2>/dev/null) \\
  && ok "license is Apache-2.0" \\
  || miss "license drift — was Apache-2.0 at generation time"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 4. Critical files exist
test -f "src/main/java/com/alibaba/fastjson/JSON.java" \\
  && ok "src/main/java/com/alibaba/fastjson/JSON.java" \\
  || miss "missing critical file: src/main/java/com/alibaba/fastjson/JSON.java"
test -f "src/main/java/com/alibaba/fastjson/parser/DefaultJSONParser.java" \\
  && ok "src/main/java/com/alibaba/fastjson/parser/DefaultJSONParser.java" \\
  || miss "missing critical file: src/main/java/com/alibaba/fastjson/parser/DefaultJSONParser.java"
test -f "src/main/java/com/alibaba/fastjson/parser/JSONLexer.java" \\
  && ok "src/main/java/com/alibaba/fastjson/parser/JSONLexer.java" \\
  || miss "missing critical file: src/main/java/com/alibaba/fastjson/parser/JSONLexer.java"
test -f "src/main/java/com/alibaba/fastjson/serializer/ASMSerializerFactory.java" \\
  && ok "src/main/java/com/alibaba/fastjson/serializer/ASMSerializerFactory.java" \\
  || miss "missing critical file: src/main/java/com/alibaba/fastjson/serializer/ASMSerializerFactory.java"
test -f "src/main/java/com/alibaba/fastjson/parser/deserializer/JavaBeanDeserializer.java" \\
  && ok "src/main/java/com/alibaba/fastjson/parser/deserializer/JavaBeanDeserializer.java" \\
  || miss "missing critical file: src/main/java/com/alibaba/fastjson/parser/deserializer/JavaBeanDeserializer.java"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 691 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~661d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/alibaba/fastjson"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

FastJSON 1.x is a high-performance Java library for serializing Java objects to JSON and deserializing JSON strings back to Java objects. It uses bytecode generation (ASM-based code generation in src/main/java/com/alibaba/fastjson/asm/) and optimized parsing (JSONLexer, DefaultJSONParser) to achieve faster serialization/deserialization than standard libraries, with support for arbitrary complex objects, generics, and custom representations. Note: This is the legacy 1.2.84-SNAPSHOT branch; FastJSON 2.0.x is the actively recommended upgrade. Monolithic JAR structured as: src/main/java/com/alibaba/fastjson/ contains core API (JSON.java, JSONObject.java, JSONArray.java); src/main/java/com/alibaba/fastjson/parser/ holds lexing/parsing (JSONLexer.java, DefaultJSONParser.java, Feature.java); src/main/java/com/alibaba/fastjson/asm/ embeds bytecode generation (ClassWriter.java, MethodWriter.java, FieldWriter.java); src/main/java/com/alibaba/fastjson/annotation/ defines metadata (@JSONField, @JSONType, @JSONCreator). No modular packages—monolithic design reflects pre-Java 9 architecture.

Java backend engineers and Android developers who need to parse/serialize JSON at scale with minimal latency. Enterprise teams using Alibaba infrastructure or requiring extreme throughput on high-volume APIs. Developers maintaining legacy systems already on FastJSON 1.x who haven't migrated to 2.0.x yet.

Mature but deprecated. The repo shows production-ready code (7.4M lines of Java, comprehensive test coverage via CI/codecov, Apache 2 license, active maintainers listed in pom.xml). However, README prominently states 'FASTJSON 2.0.x has been released, faster and more secure, recommend you upgrade'—indicating this 1.x branch is in legacy maintenance mode, not active development.

Moderate risk for new projects. This is explicitly the legacy branch (1.2.84-SNAPSHOT); production vulnerabilities may only receive backports. Single-threaded parsing architecture (visible in DefaultJSONParser.java) may not scale well for concurrent workloads. Prior FastJSON versions had deserialization gadget chain vulnerabilities (CVE-2022-24086, CVE-2022-45787)—code review required for untrusted JSON input even on 1.2.84. Minimal external dependencies (good) but reliance on internal ASM compiler adds maintenance surface.

Active but maintenance-only. CI/CD via GitHub Actions (.github/workflows/ci.yaml) runs tests on commits. Version is 1.2.84-SNAPSHOT, suggesting a final patch release in progress. No major feature development visible—focus is on bug fixes and security patches. Fuzzing via OSS-Fuzz enabled (badge in README). The repo itself directs users to fastjson2 for new projects.

git clone https://github.com/alibaba/fastjson.git
cd fastjson
mvn clean install
mvn test

Requires Maven 3.x, JDK 1.5+ (per pom.xml jdk.version property). No external services needed; all tests run locally.

Daily commands:

mvn clean install
mvn test  # Run all unit tests

No dev server—this is a library JAR. For development/iteration: mvn compile to regenerate bytecode, then run individual test classes via IDE. Gitpod config present (.gitpod.yml) for browser-based dev.

• src/main/java/com/alibaba/fastjson/JSON.java — Primary entry point for all JSON parsing and serialization operations; all contributors must understand the public API surface here.
• src/main/java/com/alibaba/fastjson/parser/DefaultJSONParser.java — Core JSON parsing engine that tokenizes and deserializes JSON strings; critical for understanding the parsing pipeline.
• src/main/java/com/alibaba/fastjson/parser/JSONLexer.java — Lexical analyzer that breaks JSON input into tokens; fundamental to parsing performance and correctness.
• src/main/java/com/alibaba/fastjson/serializer/ASMSerializerFactory.java — Generates bytecode for high-performance serialization at runtime using ASM; critical performance optimization layer.
• src/main/java/com/alibaba/fastjson/parser/deserializer/JavaBeanDeserializer.java — Core deserializer for converting JSON to Java objects; handles complex object instantiation and field mapping.
• src/main/java/com/alibaba/fastjson/JSONObject.java — Primary data structure for representing JSON objects in memory; extensively used throughout the codebase.
• src/main/java/com/alibaba/fastjson/parser/ParserConfig.java — Centralized configuration and caching for parser behavior, deserializers, and security features.

Add a Custom Type Deserializer

1. Create a new class implementing ObjectDeserializer interface (src/main/java/com/alibaba/fastjson/parser/deserializer/ObjectDeserializer.java)
2. Implement deserialize(DefaultJSONParser, Type, Object) method to convert JSON tokens to your type (src/main/java/com/alibaba/fastjson/parser/deserializer/)
3. Register your deserializer in ParserConfig.putDeserializer(Type, ObjectDeserializer) (src/main/java/com/alibaba/fastjson/parser/ParserConfig.java)
4. Test by calling JSON.parseObject(jsonString, YourType.class) or use @JSONField annotation on target fields (src/main/java/com/alibaba/fastjson/JSON.java)

Add a Custom Type Serializer

1. Create a new class implementing ObjectSerializer interface or extend SerializeWriter (src/main/java/com/alibaba/fastjson/serializer/)
2. Implement write(JSONSerializer, Object, Object, Type, int) to generate JSON output (src/main/java/com/alibaba/fastjson/serializer/)
3. Register in SerializeConfig.put(Type, ObjectSerializer) before serialization (src/main/java/com/alibaba/fastjson/serializer/)
4. Test by calling JSON.toJSONString(object) with your registered type (src/main/java/com/alibaba/fastjson/JSON.java)

Add Field-Level Serialization Control with Annotations

1. Use @JSONField annotation on your class field with name, format, or serialize parameters (src/main/java/com/alibaba/fastjson/annotation/JSONField.java)
2. For format strings, the serializer in ASMSerializerFactory will parse and apply formatting rules (src/main/java/com/alibaba/fastjson/serializer/ASMSerializerFactory.java)
3. For conditional serialization, implement a SerializeFilter and pass via JSON.toJSONString(object, filters) (src/main/java/com/alibaba/fastjson/serializer/BeforeFilter.java)
4. Test by serializing your POJO and verifying the field names and format in the output (src/main/java/com/alibaba/fastjson/JSON.java)

Enable or Disable Parser Features for Security

1. Review available Feature flags for security implications (AutoCloseSource, AllowISO8601DateFormat, etc.) (src/main/java/com/alibaba/fastjson/parser/Feature.java)
2. Create a ParserConfig or pass feature flags to JSON.parseObject(jsonString, Type, Feature...) (src/main/java/com/alibaba/fastjson/parser/ParserConfig.java)
3. For custom class deserialization, whitelist classes in ParserConfig.setAutoTypeSupport(true) with explicit class mapping (src/main/java/com/alibaba/fastjson/parser/ParserConfig.java)
4. Test security constraints by attempting deserialization of restricted types and verifying failures (src/main/java/com/alibaba/fastjson/JSON.java)

Bytecode generation versioning: ASM version embedded in asm/ is custom and old (pre-Java 8 lambda support); touching code generation requires deep JVM bytecode knowledge. Type erasure workaround: Generic deserialization requires TypeReference<T> wrapper or explicit type info—raw parseObject() returns Map not typed POJO. Thread-safety: DefaultJSONParser is single-threaded; reuse of parser instances across threads will fail silently. Annotation processors: @JSONField behavior differs between serialization and deserialization; symmetry not guaranteed. Legacy JDK 1.5 target (pom.xml jdk.version=1.5) means no use of modern Java features; codebase uses pre-generics patterns in places. AutoType disabled by default: Type information in JSON (@type field) requires explicit Feature.SupportAutoType flag due to prior gadget chain exploits—omitting this flag silently loses polymorphic type info.

• Bytecode Generation (ASM) — FastJSON's primary performance advantage comes from generating custom serializers/deserializers at runtime via bytecode compilation in the asm/ module rather than using reflection; understanding ASM patterns is critical for optimizing serialization paths
• Lexical Analysis & Tokenization — JSONLexer implements hand-written lexical analysis (character-by-character scanning) rather than regex; this design choice directly impacts both parsing speed and the attack surface for malformed JSON handling
• Type Erasure Workaround (TypeReference) — Java's generic type erasure means parseObject(json, MyClass.class) loses generic parameter info; FastJSON uses TypeReference<List<User>> wrapper pattern to recover parameterized types at runtime via reflection
• Gadget Chain Deserialization Attacks — Prior FastJSON versions (pre-1.2.84) were vulnerable to arbitrary code execution via malicious @type fields exploiting Java classpath gadgets (CVE-2022-24086); understanding AutoType feature flags and why they default to disabled is essential for secure usage
• Streaming vs. Tree Parsing — FastJSON uses tree parsing (loads entire JSON into memory as JSONObject/JSONArray) unlike streaming parsers (Jackson's JsonParser); impacts memory usage and throughput for large payloads
• Reflection & Introspection Caching — FastJSON caches field metadata and generated bytecode via internal TypeDeserializer registry to avoid repeated reflection; cache invalidation and key collisions are non-obvious performance/correctness pitfalls
• Polymorphic Serialization via @type — FastJSON can serialize subclass information as @type metadata in JSON; requires Feature.WriteClassName on serialization side and Feature.SupportAutoType on deserialization side, creating a symmetry burden for developers

• alibaba/fastjson2 — Official successor—FastJSON 2.0.x is the recommended upgrade path with better security, performance, and Java 8+ support
• google/gson — Direct competitor in Java JSON serialization; simpler API but slower, commonly used as fallback when FastJSON unavailable
• FasterXML/jackson-databind — Industry standard alternative with streaming APIs and pluggable backends; higher maturity and ecosystem adoption than FastJSON
• eishay/jvm-serializers — Benchmark suite that includes FastJSON performance comparisons; referenced in README for validating FastJSON speed claims
• alibaba/java-coding-guidelines — Alibaba's Java style guide and practices—relevant for understanding code conventions used throughout fastjson codebase

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add comprehensive unit tests for JSONPath expression evaluation

The repo has src/main/java/com/alibaba/fastjson/JSONPath.java but lacks dedicated test coverage for JSONPath functionality. JSONPath is a critical feature for querying JSON structures, and robust test cases would catch edge cases (nested paths, wildcard expressions, filter operations). This is especially important given the security emphasis in the repo description.

• [ ] Create src/test/java/com/alibaba/fastjson/JSONPathTest.java with test cases for basic path expressions
• [ ] Add tests for complex paths: nested objects, arrays, wildcards (e.g., '$.store.book[*].author')
• [ ] Add tests for JSONPath filter expressions and edge cases (null handling, invalid paths)
• [ ] Add performance benchmarks to ensure path evaluation doesn't degrade with complex queries

Implement security-focused unit tests for deserialization exploits

The repo explicitly mentions SECURITY.md and the description emphasizes version 2.0.x being 'faster and more secure.' The deserializer modules (src/main/java/com/alibaba/fastjson/parser/deserializer/) handle untrusted input and are prime attack vectors. Dedicated security tests would validate protections against gadget chains, code injection, and malicious type instantiation.

• [ ] Create src/test/java/com/alibaba/fastjson/parser/deserializer/SecurityDeserializerTest.java
• [ ] Add tests for blocked dangerous classes and gadget chain prevention
• [ ] Add tests for Feature enum security flags (e.g., Feature.DisableCircularReferenceDetect, Feature.AutoCloseSource)
• [ ] Add regression tests referencing any CVEs documented in SECURITY.md

Add integration tests for ASM-based code generation and validation

The repo contains a custom ASM implementation (src/main/java/com/alibaba/fastjson/asm/) for bytecode generation, which is complex and error-prone. There are ASM-related factory classes (ASMDeserializerFactory) but likely insufficient tests validating generated bytecode correctness across different JDK versions and edge cases.

• [ ] Create src/test/java/com/alibaba/fastjson/asm/ASMGenerationTest.java to validate generated deserializers
• [ ] Add tests for generic type handling, inheritance hierarchies, and annotation processing in generated code
• [ ] Add tests verifying ClassWriter output is valid bytecode that doesn't cause ClassFormatError or VerifyError
• [ ] Add compatibility tests across multiple JDK versions (1.5 through modern Java versions per pom.xml)

• Add unit tests for JSONValidator.java: File exists in top-level API but no corresponding test coverage visible in file list; write tests covering valid/invalid JSON edge cases (empty arrays, nested nulls, Unicode escapes) to ensure robustness.
• Document @JSONPOJOBuilder annotation usage: src/main/java/com/alibaba/fastjson/annotation/JSONPOJOBuilder.java exists but README has no builder pattern examples; add example code to wiki showing how to deserialize objects with fluent builder APIs.
• Improve error messages in JSONLexer: Current error reporting likely shows byte offsets; enhance JSONLexer.java to track line/column numbers and show context (e.g., 'Unexpected token at line 5, column 12: expected '}'') for easier user debugging.

Failed to generate security analysis.

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.