If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/alibaba/fastjson2 shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

GO — Healthy across the board

• Last commit 3d ago
• 11 active contributors
• Apache-2.0 licensed
• CI configured
• Tests present
• ⚠ Concentrated ownership — top contributor handles 58% of recent commits

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live alibaba/fastjson2 repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/alibaba/fastjson2.

What it runs against: a local clone of alibaba/fastjson2 — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in alibaba/fastjson2 | Confirms the artifact applies here, not a fork | | 2 | License is still Apache-2.0 | Catches relicense before you depend on it | | 3 | Default branch main exists | Catches branch renames | | 4 | Last commit ≤ 33 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of alibaba/fastjson2. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/alibaba/fastjson2.git
#   cd fastjson2
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of alibaba/fastjson2 and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "alibaba/fastjson2(\\.git)?\\b" \\
  && ok "origin remote is alibaba/fastjson2" \\
  || miss "origin remote is not alibaba/fastjson2 (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(Apache-2\\.0)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"Apache-2\\.0\"" package.json 2>/dev/null) \\
  && ok "license is Apache-2.0" \\
  || miss "license drift — was Apache-2.0 at generation time"

# 3. Default branch
git rev-parse --verify main >/dev/null 2>&1 \\
  && ok "default branch main exists" \\
  || miss "default branch main no longer exists"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 33 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~3d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/alibaba/fastjson2"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

FASTJSON2 is a high-performance Java JSON serialization/deserialization library designed as the next-generation successor to FASTJSON, offering dual-format support for both JSON (text) and JSONB (binary) protocols. It significantly outperforms Jackson and Gson while supporting full document parsing and selective extraction via JSONPath, with optimizations for JDK 8+, Android 8+, and modern Java features like Records and Vector APIs. Multi-module Maven project: core fastjson2 library in main codebase, separate modules for fastjson2-codegen (code generation) and fastjson2-kotlin (Kotlin extensions) as dependencies; android-test/ is a dedicated Android Gradle subproject (compileSdk 31, minSdk 26) testing library compatibility on Android 8+; CI workflow (ci.yaml) runs tests across JDK versions and platforms.

Java backend engineers and Android developers who need blazingly fast JSON parsing/serialization for high-throughput systems; performance-critical applications serving millions of requests; teams building data pipelines and real-time analytics where JSON throughput matters; Kotlin developers leveraging first-class Kotlin extensions for type-safe JSON operations.

Production-ready and actively maintained: 10k+ GitHub stars, comprehensive CI/CD via GitHub Actions (.github/workflows/ci.yaml), high codecov coverage tracked (.codecov.yml), multi-platform test coverage (Java, Android, Kotlin). Regular SNAPSHOT releases to Maven Central (v2.0.41-SNAPSHOT visible in dependencies). This is a mature, battle-tested library used across Alibaba's ecosystem.

Standard open source risks apply.

Active development toward v2.0.x stability: SNAPSHOT versions (2.0.41-SNAPSHOT) being tested in android-test/; Kotlin support being enhanced (fastjson2-kotlin:2.0.40 dependency); Android compatibility validation ongoing across multiple test cases (EishayTest.java, Issue715.java, JSONKtTest.kt, ValueTest.java); dependabot.yml indicates automated dependency management enabled.

Clone and build: git clone https://github.com/alibaba/fastjson2.git && cd fastjson2 && ./mvnw clean install. For Android testing: cd android-test && ./gradlew build. Run tests: ./mvnw test or ./mvnw -DskipTests=false clean verify.

Daily commands: Dev build: ./mvnw clean package. Run unit tests: ./mvnw test. Full test suite with Android: ./mvnw clean verify && cd android-test && ./gradlew connectedAndroidTest (requires Android SDK/emulator). Build snapshot: ./mvnw clean install -DskipTests.

• .github/workflows/ci.yaml: CI/CD pipeline defining test matrix across JDK versions and platforms; critical for verifying compatibility claims
• android-test/app/src/androidTest/java/com/alibaba/fastjson2/android/: Android integration tests validating library behavior on actual Android platform (minSdk 26), essential for multi-platform maturity
• .codecov.yml: Code coverage configuration ensuring test quality metrics are tracked across commits
• CONTRIBUTING.md: Contributor guidelines and workflow for external contributors; reference for onboarding process
• android-test/app/build.gradle: Android build configuration with Gradle; shows exact SDK versions (compileSdk 31, minSdk 26, targetSdk 29) and dependencies

Core serialization logic: examine main source tree (reference to com.alibaba.fastjson2 package in android tests). Kotlin extensions: modify fastjson2-kotlin module. Android compatibility: add tests to android-test/app/src/androidTest/java/com/alibaba/fastjson2/android/. New features: add to main module, expose via fastjson2-codegen or fastjson2-kotlin as needed. Follow CONTRIBUTING.md and CODE_OF_CONDUCT.md.

Android minSdk is 26 (Android 8.0), not all devices supported; SNAPSHOT versions in dependencies (2.0.41-SNAPSHOT) require Sonatype snapshots repository configured; ProGuard rules in android-test/app/proguard-rules.pro must be applied for release builds; dual format support means JSONB output is non-standard (not interoperable with other JSON libraries without custom parsers); .mvn/wrapper uses Maven Wrapper, not system Maven.

• JSONB (Binary JSON Format) — FASTJSON2's dual-format capability; understanding the binary serialization format is essential for leveraging performance gains in high-throughput systems
• JSONPath (SQL:2016 Standard) — Core feature for selective JSON extraction without parsing entire documents; enables efficient partial document queries
• Unsafe Memory Operations (sun.misc.Unsafe) — FASTJSON2 uses JVM Unsafe for low-level optimizations; visible in UnsafeTest.java and UnsafeUtilsTest.java in android-test/, critical for understanding performance characteristics
• Code Generation (Codegen) for Serialization — fastjson2-codegen module generates specialized serialization code at compile-time or runtime; avoids reflection overhead in hot paths
• Vector API (JDK 21+) — FASTJSON2 optimizes for modern JDK versions using Vector API for SIMD operations; relevant for performance tuning on JDK 17+
• Compact String Optimization (JDK 9+) — FASTJSON2 leverages JDK 9+ compact string representation (single-byte encoding for Latin-1 strings); improves memory efficiency for JSON strings
• Android ProGuard/R8 Obfuscation — android-test/ includes proguard-rules.pro; necessary for shipping FASTJSON2 in production Android apps to prevent method/field stripping

• FasterXML/jackson-databind — Direct performance competitor for Java JSON serialization; Jackson is the most common alternative mentioned in benchmarks
• google/gson — Another mainstream Java JSON library and performance baseline; FASTJSON2 explicitly outperforms it per README
• alibaba/fastjson — Original FASTJSON (v1.x) — FASTJSON2 is the successor; legacy codebase for users not yet migrated
• alibaba/druid — Complementary Alibaba library (JDBC connection pool, SQL parser); often used in same ecosystem for data pipeline projects
• Kotlin/kotlinx.serialization — Kotlin's native serialization library; FASTJSON2's Kotlin extensions provide an alternative with higher JSON performance

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add Android API level compatibility tests for API 21-25

The android-test app currently targets minSdk 26, but fastjson2 should support wider Android versions. The existing android-test suite only covers API 26+. Adding instrumented tests for API 21-25 would ensure fastjson2 works reliably across more device generations and increase library adoption. This aligns with the CONTRIBUTING.md guidance for comprehensive testing.

• [ ] Create android-test/app/src/androidTest/java/com/alibaba/fastjson2/android/APICompatibilityTest.java targeting API 21-25 scenarios
• [ ] Add test cases for reflection-based serialization edge cases that differ between API levels (e.g., handling of removed/deprecated Java classes)
• [ ] Update android-test/app/build.gradle to run tests on multiple emulator API levels (21, 23, 25) in addition to current 26+
• [ ] Document any API level-specific workarounds in CONTRIBUTING.md or a new ANDROID_COMPATIBILITY.md file

Add performance regression benchmarks to CI pipeline

The .github/workflows/ci.yaml currently runs tests but lacks performance benchmarks. fastjson2's core value proposition is 'excellent performance', but there's no automated CI check to prevent performance regressions. Adding JMH (Java Microbenchmark Harness) benchmarks to the CI would protect against unintended performance degradation and provide metrics for PRs.

• [ ] Create benchmark module at benchmark/pom.xml with JMH dependencies and existing test JSONs (eishay.json, cart.json, h5api.json, homepage.json from android-test/app/src/main/assets)
• [ ] Add benchmark/src/main/java/com/alibaba/fastjson2/benchmark/SerializationBenchmark.java and DeserializationBenchmark.java testing core parse/toJSONString operations
• [ ] Update .github/workflows/ci.yaml to run benchmarks on baseline branch and compare against PR branch, posting results as PR comments
• [ ] Document benchmark setup and how to run locally in CONTRIBUTING.md

Add Kotlin extension tests for null safety and coroutine integration

The android-test suite includes JSONKtTest.kt but it's minimal. Given that fastjson2-kotlin (v2.0.40) is a first-class module, there should be comprehensive Kotlin-specific tests covering null safety (nullable/non-nullable types), data class serialization edge cases, and potential coroutine integration scenarios. This ensures Kotlin developers have confidence in the library.

• [ ] Expand android-test/app/src/androidTest/java/com/alibaba/fastjson2/android/JSONKtTest.kt with test cases for: nullable properties, lateinit vars, data class defaults, sealed classes, and object serialization
• [ ] Add android-test/app/src/androidTest/java/com/alibaba/fastjson2/android/KotlinNullSafetyTest.kt to verify type safety at compile and runtime (e.g., non-null fields reject null JSON values)
• [ ] Create android-test/app/src/androidTest/java/com/alibaba/fastjson2/android/KotlinDataClassTest.kt with complex nested data class scenarios
• [ ] Update README.md with a 'Kotlin Usage' section referencing these tests and best practices

• Add missing unit tests for JSONB binary format edge cases (e.g., large arrays, deeply nested objects) — examine android-test/ structure and replicate patterns in main test suite
• Expand JSONPath SQL:2016 compatibility documentation with concrete examples in README.md; currently mentioned but no usage examples provided
• Optimize Kotlin extension API surface (fastjson2-kotlin module) by adding reified type parameter overloads to reduce .java<Type>().value boilerplate in common Kotlin use cases

• High · Outdated Dependency: Jackson Databind — android-test/app/build.gradle - dependencies section. jackson-databind 2.14.2 contains known vulnerabilities. The package should be updated to the latest patched version (2.15.2 or later). Jackson databind has had multiple CVEs related to deserialization attacks and type handling. Fix: Update jackson-databind to version 2.15.2 or later. Also update jackson-core and jackson-annotations to matching versions.
• High · SNAPSHOT Version in Production Dependencies — android-test/app/build.gradle - fastjson2:2.0.41-SNAPSHOT dependency. The Android test app includes 'fastjson2:2.0.41-SNAPSHOT' which is a development snapshot version. Snapshot versions are unstable and may contain unpatched security vulnerabilities. Using snapshots in production or test environments can introduce unpredictable security issues. Fix: Replace the SNAPSHOT version with a stable release version (e.g., 2.0.41 or later stable release). SNAPSHOT versions should only be used in isolated development environments.
• High · Legacy fastjson 1.x Dependency — android-test/app/build.gradle - fastjson:1.1.73.android dependency. The dependency 'com.alibaba:fastjson:1.1.73.android' is an outdated version of fastjson 1.x. Fastjson 1.x has known critical vulnerabilities including RCE attacks via deserialization. The entire 1.x line is deprecated in favor of fastjson2. Fix: Remove the fastjson 1.x dependency entirely. Use only fastjson2 which is the maintained and secure version.
• Medium · Outdated Kotlin Standard Library — android-test/app/build.gradle - kotlin dependencies. kotlin-stdlib and kotlin-reflect are pinned to version 1.8.10, which is outdated. Newer Kotlin versions include security patches and bug fixes. Current stable is 1.9.x+. Fix: Update Kotlin stdlib and reflect to version 1.9.x or latest stable version.
• Medium · Outdated Android SDK Targets — android-test/app/build.gradle - android.compileSdk and targetSdk. The Android configuration uses compileSdk 31 and targetSdk 29, which are significantly outdated. Current recommendations are SDK 33+. Older SDKs lack recent security patches and Google Play requires targetSdk 31+ (now enforced to 33+). Fix: Update compileSdk to 34 and targetSdk to 34. Update minSdk if possible (current 26 is very old).
• Medium · Outdated AndroidX Dependencies — android-test/app/build.gradle - AndroidX dependencies. Android dependencies are outdated: appcompat 1.4.0, material 1.4.0, and constraintlayout 2.1.1 are significantly behind current versions. These libraries contain security fixes in newer versions. Fix: Update to: appcompat 1.6.1+, material 1.10.0+, constraintlayout 2.1.4+ (or later).
• Medium · Outdated Test Dependencies — android-test/app/build.gradle - test dependencies. Test dependencies are outdated: junit 5.9.2, androidx.test.ext:junit 1.1.3, and espresso-core 3.3.0 are behind current versions which may have security implications. Fix: Update to latest versions: junit 5.9.3+, androidx.test.ext:junit 1.1.5+, espresso-core 3.5.1+.
• Low · Missing ProGuard Configuration Review — android-test/app/proguard-rules.pro. While minifyEnabled is false in release build (allowing code inspection), the proguard-rules.pro file should be reviewed to ensure it's properly configured if minification is enabled in production. Fix: Review and properly configure ProGuard rules. Consider enabling minification in release builds with appropriate rules to obfuscate

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.