You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@commons.apache.org by GitBox <gi...@apache.org> on 2021/03/03 16:50:24 UTC

[GitHub] [commons-beanutils] chrismaeda edited a comment on pull request #80: Rename beanutils2 package to beanutils to be a drop-in replacement for beanutils 1.9.4

chrismaeda edited a comment on pull request #80:
URL: https://github.com/apache/commons-beanutils/pull/80#issuecomment-789868132


   > > Yep I have done this before with other libraries and put in Maven Central in my `com.melloware` artifact but was really hoping not to have to do that with an Apache Commons Library. But you are right I think I have no choice...
   > 
   > Yep...please only do this when necessary...
   
   So beanutils 1.9.4 is 2 years old and has a small dependency on commons-collections 3, which is red-flagged for security vulnerabilities.  A lot of things have dependencies on beanutils; e.g. Grails 4.0.x depends on commons-validator which depends on beanutils.
   
   I'm offering to help do an update of these commons components to fix security issues.  But it sounds like the official position I'm getting here is that we should maintain our own forks and wait for version 2?
   
   Perhaps I should use the 1.9.4 source as a starting point instead??


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org