Deserializing a JSON Merge Patch fails when the input is not a JSON object

[patveck]

A JSON Merge Patch (RFC 7396) is typically a JSON object, and Jackson (at least versions 2.13 and 2.14.0-RC2) deserializes JSON objects to javax.json.JsonMergePatch as expected.

However, when deserializing input that is not a JSON object, Jackson throws an exception, with the exact exception depending on whether the input is a JSON array or scalar.

RFC 7396 does not limit the JSON Merge Patch format to JSON Objects and in fact handles the case where the merge patch is not an object explicitly in the pseudocode function presented in Section 2 of the RFC. More importantly, Jackson's current behavior is somewhat awkward for instance when using JsonMergePatch directly in a Spring controller like so:

@PatchMapping
ResponseEntity<?> patch(@RequestBody JsonMergePatch mergePatch) { ... }

When called with a body that is a JSON array, this throws an NPE, with a typical Spring exception handler would convert into a response with HTTP status code 500.

IMO, the preferred fix would be to call JsonValueDeserializer#deserialize instead of _deserializeObject from JsonMergePatchDeserializer (see PR #26), which would return a JsonValue. Alternatively, _deserializeObject could check whether the current token is START_OBJECT and return an empty JsonObject.