Upgrade to jackson 2.12.3

[gheine]

Fixes #632

[ndeverge]

It would be great to merge this one in order to fix CVE-2020-36518.

Thanks

[mkurz]

I am interested what the akka team will do, because they are stuck on Jackson 2.11... I am tracking akka/akka#31282 and akka/akka#31281 (which upgrades Jackson only when on Scala 3 however).
If akka don't upgrade, we might finally consider upgrading it for Play though, even in 2.8.x, which should not break akka (but maybe apps?), see akka/akka#31097 (comment):

jackson changed between 2.11.4 and 2.13.1. While we don't rely on any of the parts that changed, so Akka works fine with 2.13.1, there could be projects using Akka that do rely on the 2.11 behavior. For that reason we're reluctant to update jackson in Akka, since that might force projects to also update, which might not be easy.

[mkurz]

Please have a look my comment in #740, for the next major release IMHO it now makes sense to upgrade to latet Jackson for play-json and play itself.

[mkurz]

For CVE-2020-36518 however I think users should upgrade the dependency themselves... Since I don't want to introduce breaking changes into production apps... So everyone has to test carefully. I will write an announcement about the CVE-2020-36518 in the GitHub Discussions soon.

[mkurz]

@ndeverge Please see playframework/playframework#11222 regarding CVE-2020-36518.

[ndeverge]

Thanks @mkurz, it's perfectly clear!