If a field typed as Object is intentionally used and its values are trusted (e.g., always set programmatically, never from user-controlled XML), annotate it with @XstreamSafeObjectField.
While this annotation is not yet available in LTS releases, Jenkins also recognizes the annotation by its simple name only, so plugins can define their own copy without adding a core dependency:
// In your plugin: com.example.myplugin.XstreamSafeObjectField
@Retention(RetentionPolicy.RUNTIME)
@Target(ElementType.FIELD)
public @interface XstreamSafeObjectField {}
public class MyConfig {
@XstreamSafeObjectField
private Object legacyValue;
}
This is temporary and will be removed once the annotation has been available in LTS releases for a while, so plugin developers should switch to the official annotation as soon as practical.