Add warning about usage of Gson on Android #2856
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Adds warning about Android usage on top level readme
Discourages use on Android. Some of the previous phrasing is less true now that R8 full mode exists.
eamonnmcmanus
requested changes
May 14, 2025
Member
eamonnmcmanus
left a comment
eamonnmcmanus
left a comment
There was a problem hiding this comment.
Thanks! I think this is very worthwhile. Just one small thing...
Troubleshooting.md
Outdated
| If you still use a Gson version older than 2.11.0 or if you are using ProGuard for a non-Android project ([related ProGuard issue](https://github.com/Guardsquare/proguard/issues/337)), | ||
| you may need to copy the rules from the [`gson.pro`](gson/src/main/resources/META-INF/proguard/gson.pro) file into your own ProGuard configuration file. | ||
| ### Avoid Reflection | ||
| Use [addReflectionAccessFilter()](https://javadoc.io/doc/com.google.code.gson/gson/latest/com.google.gson/com/google/gson/GsonBuilder.html#addReflectionAccessFilter(com.google.gson.ReflectionAccessFilter)) to add a filter which always returns `BLOCK_ALL` to block all reflection into custom classes. This will mean you need to use explicit objects such as JsonObject and JsonArray. |
Member
There was a problem hiding this comment.
I know it was my suggestion that led to the last sentence here, but I think what we really want to say instead is this:
This will mean you will need to have a
TypeAdapterorTypeAdapterFactoryfor every type you might want to serialize or deserialize, or that you are only using Gson through its explicit JSON API via classes likeJsonObjectandJsonArray.
Contributor
Author
There was a problem hiding this comment.
I tried to incorporate this with latest patch - I still wanted to reference the BLOCK_ALL step since it sounds as if it would give you the most safety, but let me know if it needs more clarification.
eamonnmcmanus
approved these changes
May 14, 2025
Member
eamonnmcmanus
left a comment
eamonnmcmanus
left a comment
There was a problem hiding this comment.
That looks great, better than the wording I proposed!
Goooler
reviewed
May 16, 2025
| > [!IMPORTANT]\ | ||
| > Gson is not a recommended library for interacting with JSON on Android. The open ended reflection in the Gson runtime doesn't play nicely with shrinking/optimization/obfuscation passes that Android release apps should perform.\ | ||
| > If your app or library may be running on Android, instead look at [Kotlin Serialization](https://github.com/Kotlin/kotlinx.serialization/blob/master/docs/basic-serialization.md#basics) which uses code generation instead of reflection. This avoids Gson's runtime crashes when optimizations are applied, and results in faster performance on Android devices. If you still want to use Gson and attempt to avoid these crashes, you can see how to do so [here](Troubleshooting.md#-proguard--r8). |
Contributor
There was a problem hiding this comment.
Seems we can also mention Moshi here?
Instead look at Kotlin Serialization or Moshi, that use code generation instead of reflection.
Moshi could handle Java classes.
9 tasks
mergify bot
added a commit
to ArcadeData/arcadedb
that referenced
this pull request
Sep 14, 2025
…ip ci] Bumps [com.google.code.gson:gson](https://github.com/google/gson) from 2.13.1 to 2.13.2. Release notes *Sourced from [com.google.code.gson:gson's releases](https://github.com/google/gson/releases).* > Gson 2.13.2 > ----------- > > The main changes in this release are just newer dependencies. > > What's Changed > -------------- > > * Improved packaging of JPMS module declaration in Gson jar > This fixes an issue where Eclipse and VS Code users could not refer to the Gson module name `com.google.gson`. See issue [google/gson#2679](https://github.com/google/gson/issues/2679). > * Remove internal class `GsonPreconditions` by [`@Marcono1234`](https://github.com/Marcono1234) in [google/gson#2879](https://github.com/google/gson/pull/2879) > * Switch to using central-publishing-maven-plugin by [`@eamonnmcmanus`](https://github.com/eamonnmcmanus) in [google/gson#2900](https://github.com/google/gson/pull/2900) > > New Contributors > ---------------- > > * [`@MukjepScarlet`](https://github.com/MukjepScarlet) made their first contribution in [google/gson#2852](https://github.com/google/gson/pull/2852) > * [`@ChrisCraik`](https://github.com/ChrisCraik) made their first contribution in [google/gson#2856](https://github.com/google/gson/pull/2856) > > **Full Changelog**: <google/gson@gson-parent-2.13.1...gson-parent-2.13.2> Commits * [`686fad7`](google/gson@686fad7) [maven-release-plugin] prepare release gson-parent-2.13.2 * [`c2d252a`](google/gson@c2d252a) Switch to using central-publishing-maven-plugin. ([#2900](https://github.com/google/gson/issues/2900)) * [`69cb755`](google/gson@69cb755) Bump the github-actions group with 5 updates ([#2894](https://github.com/google/gson/issues/2894)) * [`ea552c2`](google/gson@ea552c2) Bump the maven group across 1 directory with 3 updates ([#2898](https://github.com/google/gson/issues/2898)) * [`fdc616d`](google/gson@fdc616d) Set top-level permissions for CodeQL workflow ([#2889](https://github.com/google/gson/issues/2889)) * [`9334715`](google/gson@9334715) Create scorecard.yml ([#2888](https://github.com/google/gson/issues/2888)) * [`f7de5c2`](google/gson@f7de5c2) Bump the maven group with 8 updates ([#2885](https://github.com/google/gson/issues/2885)) * [`8c23cd3`](google/gson@8c23cd3) Update sources to satisfy a new Error Prone check. ([#2887](https://github.com/google/gson/issues/2887)) * [`5eab3ed`](google/gson@5eab3ed) Bump the github-actions group with 2 updates ([#2886](https://github.com/google/gson/issues/2886)) * [`5f5c200`](google/gson@5f5c200) Bump the maven group across 1 directory with 10 updates ([#2872](https://github.com/google/gson/issues/2872)) * Additional commits viewable in [compare view](google/gson@gson-parent-2.13.1...gson-parent-2.13.2) [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Purpose
Goal of this PR is to clarify that Gson should generally not be used for Android projects since it will often make optimization harder, especially now with R8 full mode being the default.
Description
When trying to encourage Android developers to optimize their apps, Gson is one of the primary causes of crashes due to conflicts between the open ended reflection of Gson and the efforts of optimizations from R8 (or Proguard before it).
Checklist
Not applicable, markdown-only change.