Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package apache-commons-configuration2 for
openSUSE:Factory checked in at 2026-06-22 17:27:04
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/apache-commons-configuration2 (Old)
and /work/SRC/openSUSE:Factory/.apache-commons-configuration2.new.1956
(New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache-commons-configuration2"
Mon Jun 22 17:27:04 2026 rev:4 rq:1360670 version:2.15.1
Changes:
--------
---
/work/SRC/openSUSE:Factory/apache-commons-configuration2/apache-commons-configuration2.changes
2026-05-15 23:54:18.263070571 +0200
+++
/work/SRC/openSUSE:Factory/.apache-commons-configuration2.new.1956/apache-commons-configuration2.changes
2026-06-22 17:27:21.337390541 +0200
@@ -1,0 +2,12 @@
+Fri Jun 19 09:01:15 UTC 2026 - Fridrich Strba <[email protected]>
+
+- Upgrade to version 2.15.1
+ * Fixed Bugs
+ + CONFIGURATION-856: The artifact commons-io:commons-io is a
+ normal dependency
+ + Avoid NPE when combined location strategy sub strategies is
+ immutable list (#639)
+ * Changes
+ + Bump org.apache.commons:commons-parent from 99 to 100
+
+-------------------------------------------------------------------
Old:
----
commons-configuration2-2.15.0-src.tar.gz
New:
----
commons-configuration2-2.15.1-src.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ apache-commons-configuration2.spec ++++++
--- /var/tmp/diff_new_pack.kXkDz1/_old 2026-06-22 17:27:22.961447114 +0200
+++ /var/tmp/diff_new_pack.kXkDz1/_new 2026-06-22 17:27:22.965447254 +0200
@@ -19,7 +19,7 @@
%global base_name configuration2
%global short_name commons-%{base_name}
Name: apache-commons-configuration2
-Version: 2.15.0
+Version: 2.15.1
Release: 0
Summary: Java library providing a generic Configuration interface
License: Apache-2.0
++++++ _scmsync.obsinfo ++++++
--- /var/tmp/diff_new_pack.kXkDz1/_old 2026-06-22 17:27:23.005448647 +0200
+++ /var/tmp/diff_new_pack.kXkDz1/_new 2026-06-22 17:27:23.009448787 +0200
@@ -1,6 +1,6 @@
-mtime: 1778797737
-commit: e1fb47e61c92b692b996c456310eb1056424c2b66b07d8be254031595074b780
+mtime: 1781859800
+commit: 56b5a2f182e32393f1fc644d7ff28562490a4765bf7f642bfc9a109160c47ff3
url: https://src.opensuse.org/java-packages/apache-commons-configuration2
-revision: e1fb47e61c92b692b996c456310eb1056424c2b66b07d8be254031595074b780
+revision: 56b5a2f182e32393f1fc644d7ff28562490a4765bf7f642bfc9a109160c47ff3
projectscmsync: https://src.opensuse.org/java-packages/_ObsPrj
++++++ apache-commons-configuration2-build.xml ++++++
--- /var/tmp/diff_new_pack.kXkDz1/_old 2026-06-22 17:27:23.033449622 +0200
+++ /var/tmp/diff_new_pack.kXkDz1/_new 2026-06-22 17:27:23.037449762 +0200
@@ -18,7 +18,7 @@
<property name="project.artifactId" value="commons-configuration2"/>
<property name="spec.version" value="2.15"/>
- <property name="project.version" value="${spec.version}.0"/>
+ <property name="project.version" value="${spec.version}.1"/>
<property name="bundle.version" value="${project.version}"/>
<property name="project.name" value="Apache Commons Configuration"/>
++++++ build.specials.obscpio ++++++
++++++ build.specials.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/.gitignore new/.gitignore
--- old/.gitignore 1970-01-01 01:00:00.000000000 +0100
+++ new/.gitignore 2026-06-19 11:03:20.000000000 +0200
@@ -0,0 +1 @@
+.osc
++++++ commons-configuration2-2.15.0-src.tar.gz ->
commons-configuration2-2.15.1-src.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/commons-configuration2-2.15.0-src/README.md
new/commons-configuration2-2.15.1-src/README.md
--- old/commons-configuration2-2.15.0-src/README.md 2026-05-12
13:50:08.000000000 +0200
+++ new/commons-configuration2-2.15.1-src/README.md 2026-05-21
14:58:19.000000000 +0200
@@ -45,7 +45,7 @@
[](https://github.com/apache/commons-configuration/actions/workflows/maven.yml)
[](https://search.maven.org/artifact/org.apache.commons/commons-configuration2)
-[](https://javadoc.io/doc/org.apache.commons/commons-configuration2/2.15.0)
+[](https://javadoc.io/doc/org.apache.commons/commons-configuration2/2.15.1)
[](https://github.com/apache/commons-configuration/actions/workflows/codeql-analysis.yml)
[](https://api.securityscorecards.dev/projects/github.com/apache/commons-configuration)
@@ -69,7 +69,7 @@
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-configuration2</artifactId>
- <version>2.15.0</version>
+ <version>2.15.1</version>
</dependency>
```
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/commons-configuration2-2.15.0-src/RELEASE-NOTES.txt
new/commons-configuration2-2.15.1-src/RELEASE-NOTES.txt
--- old/commons-configuration2-2.15.0-src/RELEASE-NOTES.txt 2026-05-12
13:50:08.000000000 +0200
+++ new/commons-configuration2-2.15.1-src/RELEASE-NOTES.txt 2026-05-21
14:58:19.000000000 +0200
@@ -1,3 +1,88 @@
+Apache Commons Configuration 2.15.1 Release Notes
+-------------------------------------------------
+
+The Apache Commons Configuration team is pleased to announce the release of
Apache Commons Configuration 2.15.1.
+
+Introducing Apache Commons Configuration
+----------------------------------------
+
+The Apache Commons Team is pleased to announce Commons Configuration 2.15.1.
+
+The Commons Configuration software library provides a generic configuration
interface that enables an application to read configuration data from
+various sources and requires Java 8.
+
+This is a feature and maintenance release. Java 8 or later is required.
+
+Changes in this version include:
+
+
+Fixed Bugs
+----------
+
+* CONFIGURATION-856: The artifact commons-io:commons-io is a normal
dependency. Thanks to Piotr Zygielo, Gary Gregory.
+* Avoid NPE when combined location strategy sub strategies
is immutable list (#639). Thanks to Wei Huang, Gary Gregory.
+
+Changes
+-------
+
+* Bump org.apache.commons:commons-parent from 99 to 100
Thanks to Gary Gregory.
+
+
+Historical list of changes:
https://commons.apache.org/proper/commons-configuration/changes.html
+
+For complete information on Apache Commons Configuration, including
instructions on how to submit bug reports,
+patches, or suggestions for improvement, see the Apache Apache Commons
Configuration website:
+
+https://commons.apache.org/proper/commons-configuration/
+
+Download it from
https://commons.apache.org/proper/commons-configuration//download_configuration.cgi
+
+Enjoy!
+Apache Commons Team
+
+-----------------------------------------------------------------------------
+Apache Commons Configuration 2.15.1 Release Notes
+-------------------------------------------------
+
+The Apache Commons Configuration team is pleased to announce the release of
Apache Commons Configuration 2.15.1.
+
+Introducing Apache Commons Configuration
+----------------------------------------
+
+The Apache Commons Team is pleased to announce Commons Configuration 2.15.1.
+
+The Commons Configuration software library provides a generic configuration
interface that enables an application to read configuration data from
+various sources and requires Java 8.
+
+This is a feature and maintenance release. Java 8 or later is required.
+
+Changes in this version include:
+
+
+Fixed Bugs
+----------
+
+* CONFIGURATION-856: The artifact commons-io:commons-io is a normal
dependency. Thanks to Piotr Zygielo, Gary Gregory.
+
+Changes
+-------
+
+* Bump org.apache.commons:commons-parent from 99 to 100
Thanks to Gary Gregory.
+
+
+Historical list of changes:
https://commons.apache.org/proper/commons-configuration/changes.html
+
+For complete information on Apache Commons Configuration, including
instructions on how to submit bug reports,
+patches, or suggestions for improvement, see the Apache Apache Commons
Configuration website:
+
+https://commons.apache.org/proper/commons-configuration/
+
+Download it from
https://commons.apache.org/proper/commons-configuration//download_configuration.cgi
+
+Enjoy!
+Apache Commons Team
+
+-----------------------------------------------------------------------------
Apache Commons Configuration 2.15.0 Release Notes
-------------------------------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/commons-configuration2-2.15.0-src/pom.xml
new/commons-configuration2-2.15.1-src/pom.xml
--- old/commons-configuration2-2.15.0-src/pom.xml 2026-05-12
13:50:08.000000000 +0200
+++ new/commons-configuration2-2.15.1-src/pom.xml 2026-05-21
14:58:19.000000000 +0200
@@ -20,11 +20,11 @@
<parent>
<groupId>org.apache.commons</groupId>
<artifactId>commons-parent</artifactId>
- <version>99</version>
+ <version>100</version>
</parent>
<modelVersion>4.0.0</modelVersion>
<artifactId>commons-configuration2</artifactId>
- <version>2.15.0</version>
+ <version>2.15.1</version>
<name>Apache Commons Configuration</name>
<inceptionYear>2001</inceptionYear>
<description>
@@ -34,8 +34,8 @@
<properties>
<commons.componentid>configuration</commons.componentid>
<commons.module.name>org.apache.commons.configuration2</commons.module.name>
- <commons.release.version>2.15.0</commons.release.version>
- <commons.release.next>2.15.1</commons.release.next>
+ <commons.release.version>2.15.1</commons.release.version>
+ <commons.release.next>2.15.2</commons.release.next>
<commons.release.desc>(Java 8 or above)</commons.release.desc>
<commons.jira.id>CONFIGURATION</commons.jira.id>
<commons.jira.pid>12310467</commons.jira.pid>
@@ -63,12 +63,12 @@
<spring.version>5.3.39</spring.version>
<japicmp.skip>false</japicmp.skip>
<!-- Commons Release Plugin -->
- <commons.bc.version>2.14.0</commons.bc.version>
+ <commons.bc.version>2.15.0</commons.bc.version>
<commons.rc.version>RC2</commons.rc.version>
<commons.release.isDistModule>true</commons.release.isDistModule>
<commons.distSvnStagingUrl>scm:svn:https://dist.apache.org/repos/dist/dev/commons/${commons.componentid}</commons.distSvnStagingUrl>
<!-- project.build.outputTimestamp is managed by Maven plugins, see
https://maven.apache.org/guides/mini/guide-reproducible-builds.html -->
-
<project.build.outputTimestamp>2026-05-12T11:50:08Z</project.build.outputTimestamp>
+
<project.build.outputTimestamp>2026-05-21T12:58:19Z</project.build.outputTimestamp>
<!-- JaCoCo: Don't make code coverage worse than: -->
<commons.jacoco.haltOnFailure>true</commons.jacoco.haltOnFailure>
<commons.jacoco.classRatio>0.96</commons.jacoco.classRatio>
@@ -157,7 +157,6 @@
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.22.0</version>
- <optional>true</optional>
</dependency>
<dependency>
<groupId>commons-jxpath</groupId>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/commons-configuration2-2.15.0-src/src/changes/changes.xml
new/commons-configuration2-2.15.1-src/src/changes/changes.xml
--- old/commons-configuration2-2.15.0-src/src/changes/changes.xml
2026-05-12 13:50:08.000000000 +0200
+++ new/commons-configuration2-2.15.1-src/src/changes/changes.xml
2026-05-21 14:58:19.000000000 +0200
@@ -23,11 +23,19 @@
<author email="[email protected]">Apache Commons Community</author>
</properties>
<body>
- <release version="2.15.0" date="2026-05-11" description="Minor release
with new features and updated dependencies; requires Java 8 or above.">
+ <release version="2.15.1" date="2026-05-21" description="This is a feature
and maintenance release. Java 8 or later is required.">
<!-- FIX -->
- <action type="update" dev="ggregory" due-to="Gary Gregory">Disable
include schemes http[s] by default, see AbstractFileLocationStrategy
#633.</action>
- <action type="update" dev="ggregory" due-to="Erichen, Gary
Gregory">Detect and avoid processing cycles in YAML input (YAMLConfiguration)
#634.</action>
- <action type="update" dev="ggregory" due-to="Piotr P. Karwasz, Gary
Gregory">Extend scheme validation to inner schemes of jar: URLs #636.</action>
+ <action type="fix" dev="ggregory" issue="CONFIGURATION-856"
due-to="Piotr Zygielo, Gary Gregory">The artifact commons-io:commons-io is a
normal dependency.</action>
+ <action type="fix" dev="ggregory" due-to="Wei Huang, Gary Gregory">Avoid
NPE when combined location strategy sub strategies is immutable list
(#639).</action>
+ <!-- ADD -->
+ <!-- UPDATE -->
+ <action type="update" dev="ggregory" due-to="Gary Gregory">Bump
org.apache.commons:commons-parent from 99 to 100</action>
+ </release>
+ <release version="2.15.0" date="2026-05-11" description="Minor release
with new features and updated dependencies; requires Java 8 or above; fixes
CVE-2026-45205.">
+ <!-- FIX -->
+ <action type="fix" dev="ggregory" due-to="Gary Gregory">Disable include
schemes http[s] by default, see AbstractFileLocationStrategy #633.</action>
+ <action type="fix" dev="ggregory" due-to="Erichen, Gary
Gregory">CVE-2026-45205: Detect and avoid processing cycles in YAML input
(YAMLConfiguration) #634.</action>
+ <action type="fix" dev="ggregory" due-to="Piotr P. Karwasz, Gary
Gregory">Extend scheme validation to inner schemes of jar: URLs #636.</action>
<!-- ADD -->
<!-- UPDATE -->
<action type="update" dev="ggregory" due-to="Gary Gregory">Bump
org.apache.commons:commons-parent from 97 to 99</action>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/commons-configuration2-2.15.0-src/src/main/java/org/apache/commons/configuration2/io/CombinedLocationStrategy.java
new/commons-configuration2-2.15.1-src/src/main/java/org/apache/commons/configuration2/io/CombinedLocationStrategy.java
---
old/commons-configuration2-2.15.0-src/src/main/java/org/apache/commons/configuration2/io/CombinedLocationStrategy.java
2026-05-12 13:50:08.000000000 +0200
+++
new/commons-configuration2-2.15.1-src/src/main/java/org/apache/commons/configuration2/io/CombinedLocationStrategy.java
2026-05-21 14:58:19.000000000 +0200
@@ -21,6 +21,7 @@
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
+import java.util.List;
import java.util.Set;
import java.util.regex.Pattern;
@@ -119,10 +120,11 @@
if (builder.subStrategies == null) {
throw new IllegalArgumentException("Collection with sub strategies
must not be null.");
}
- if (builder.subStrategies.contains(null)) {
+ List<FileLocationStrategy> subStrategiesCopy = new
ArrayList<>(builder.subStrategies);
+ if (subStrategiesCopy.contains(null)) {
throw new IllegalArgumentException("Collection with sub strategies
contains null entry.");
}
- subStrategies = Collections.unmodifiableCollection(new
ArrayList<>(builder.subStrategies));
+ subStrategies = Collections.unmodifiableCollection(subStrategiesCopy);
}
/**
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/commons-configuration2-2.15.0-src/src/site/xdoc/download_configuration.xml
new/commons-configuration2-2.15.1-src/src/site/xdoc/download_configuration.xml
---
old/commons-configuration2-2.15.0-src/src/site/xdoc/download_configuration.xml
2026-05-12 13:50:08.000000000 +0200
+++
new/commons-configuration2-2.15.1-src/src/site/xdoc/download_configuration.xml
2026-05-21 14:58:19.000000000 +0200
@@ -115,32 +115,32 @@
</p>
</subsection>
</section>
- <section name="Apache Commons Configuration 2.15.0 (Java 8 or above)">
+ <section name="Apache Commons Configuration 2.15.1 (Java 8 or above)">
<subsection name="Binaries">
<table>
<tr>
- <td><a
href="[preferred]/commons/configuration/binaries/commons-configuration2-2.15.0-bin.tar.gz">commons-configuration2-2.15.0-bin.tar.gz</a></td>
- <td><a
href="https://downloads.apache.org/commons/configuration/binaries/commons-configuration2-2.15.0-bin.tar.gz.sha512";>sha512</a></td>
- <td><a
href="https://downloads.apache.org/commons/configuration/binaries/commons-configuration2-2.15.0-bin.tar.gz.asc";>pgp</a></td>
+ <td><a
href="[preferred]/commons/configuration/binaries/commons-configuration2-2.15.1-bin.tar.gz">commons-configuration2-2.15.1-bin.tar.gz</a></td>
+ <td><a
href="https://downloads.apache.org/commons/configuration/binaries/commons-configuration2-2.15.1-bin.tar.gz.sha512";>sha512</a></td>
+ <td><a
href="https://downloads.apache.org/commons/configuration/binaries/commons-configuration2-2.15.1-bin.tar.gz.asc";>pgp</a></td>
</tr>
<tr>
- <td><a
href="[preferred]/commons/configuration/binaries/commons-configuration2-2.15.0-bin.zip">commons-configuration2-2.15.0-bin.zip</a></td>
- <td><a
href="https://downloads.apache.org/commons/configuration/binaries/commons-configuration2-2.15.0-bin.zip.sha512";>sha512</a></td>
- <td><a
href="https://downloads.apache.org/commons/configuration/binaries/commons-configuration2-2.15.0-bin.zip.asc";>pgp</a></td>
+ <td><a
href="[preferred]/commons/configuration/binaries/commons-configuration2-2.15.1-bin.zip">commons-configuration2-2.15.1-bin.zip</a></td>
+ <td><a
href="https://downloads.apache.org/commons/configuration/binaries/commons-configuration2-2.15.1-bin.zip.sha512";>sha512</a></td>
+ <td><a
href="https://downloads.apache.org/commons/configuration/binaries/commons-configuration2-2.15.1-bin.zip.asc";>pgp</a></td>
</tr>
</table>
</subsection>
<subsection name="Source">
<table>
<tr>
- <td><a
href="[preferred]/commons/configuration/source/commons-configuration2-2.15.0-src.tar.gz">commons-configuration2-2.15.0-src.tar.gz</a></td>
- <td><a
href="https://downloads.apache.org/commons/configuration/source/commons-configuration2-2.15.0-src.tar.gz.sha512";>sha512</a></td>
- <td><a
href="https://downloads.apache.org/commons/configuration/source/commons-configuration2-2.15.0-src.tar.gz.asc";>pgp</a></td>
+ <td><a
href="[preferred]/commons/configuration/source/commons-configuration2-2.15.1-src.tar.gz">commons-configuration2-2.15.1-src.tar.gz</a></td>
+ <td><a
href="https://downloads.apache.org/commons/configuration/source/commons-configuration2-2.15.1-src.tar.gz.sha512";>sha512</a></td>
+ <td><a
href="https://downloads.apache.org/commons/configuration/source/commons-configuration2-2.15.1-src.tar.gz.asc";>pgp</a></td>
</tr>
<tr>
- <td><a
href="[preferred]/commons/configuration/source/commons-configuration2-2.15.0-src.zip">commons-configuration2-2.15.0-src.zip</a></td>
- <td><a
href="https://downloads.apache.org/commons/configuration/source/commons-configuration2-2.15.0-src.zip.sha512";>sha512</a></td>
- <td><a
href="https://downloads.apache.org/commons/configuration/source/commons-configuration2-2.15.0-src.zip.asc";>pgp</a></td>
+ <td><a
href="[preferred]/commons/configuration/source/commons-configuration2-2.15.1-src.zip">commons-configuration2-2.15.1-src.zip</a></td>
+ <td><a
href="https://downloads.apache.org/commons/configuration/source/commons-configuration2-2.15.1-src.zip.sha512";>sha512</a></td>
+ <td><a
href="https://downloads.apache.org/commons/configuration/source/commons-configuration2-2.15.1-src.zip.asc";>pgp</a></td>
</tr>
</table>
</subsection>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/commons-configuration2-2.15.0-src/src/site/xdoc/security.xml
new/commons-configuration2-2.15.1-src/src/site/xdoc/security.xml
--- old/commons-configuration2-2.15.0-src/src/site/xdoc/security.xml
2026-05-12 13:50:08.000000000 +0200
+++ new/commons-configuration2-2.15.1-src/src/site/xdoc/security.xml
2026-05-21 14:58:19.000000000 +0200
@@ -55,7 +55,7 @@
'Denial of service' here means causing resource usage
disproportionate to the input size.
</p>
</subsection>
- <subsection name="CVE-2022-33980 prior to 2.8.0, RCE when applied
to untrusted input">
+ <subsection name="CVE-2022-33980, prior to 2.8.0, RCE when applied
to untrusted input">
<p>
On 2022-07-06, the Apache Commons Configuration team
disclosed
<a
href="https://www.cve.org/CVERecord?id=CVE-2022-33980";>CVE-2022-33980</a>
@@ -124,7 +124,7 @@
</li>
</ul>
</subsection>
- <subsection name="CVE-2024-29131 prior to 2.10.1, Out-of-bounds
Write vulnerability">
+ <subsection name="CVE-2024-29131, prior to 2.10.1, Out-of-bounds
Write vulnerability">
<p>
On 2024-03-20, the Apache Commons Configuration team
disclosed <a
href="https://www.cve.org/CVERecord?id=CVE-2024-29131";>CVE-2024-29131</a>.
</p>
@@ -135,7 +135,7 @@
The details are in <a
href="https://issues.apache.org/jira/browse/CONFIGURATION-840";>CONFIGURATION-840</a>.
</p>
</subsection>
- <subsection name="CVE-2024-29133 prior to 2.10.1, Out-of-bounds
Write vulnerability">
+ <subsection name="CVE-2024-29133, prior to 2.10.1, Out-of-bounds
Write vulnerability">
<p>
On 2024-03-20, the Apache Commons Configuration team
disclosed <a
href="https://www.cve.org/CVERecord?id=CVE-2024-29133";>CVE-2024-29133</a>.
</p>
@@ -146,6 +146,23 @@
The details are in <a
href="https://issues.apache.org/jira/browse/CONFIGURATION-840";>CONFIGURATION-841</a>.
</p>
</subsection>
+ <subsection name="CVE-2026-45205, prior to 2.15.0,
StackOverflowError for YAML input with cycles ">
+ <p>
+ On 2026-05-14, the Apache Commons Configuration team
disclosed <a
href="https://www.cve.org/CVERecord?id=CVE-2026-45205";>CVE-2026-45205</a>.
+ </p>
+ <p>
+ When processing an untrusted configuration file, Commons
Configuration will throw a StackOverflowError for YAML input with cycles.
+ This issue affects Apache Commons: from 2.2 before 2.15.0.
+ Users are recommended to upgrade to version 2.15.0, which
fixes the issue.
+ </p>
+ <p>
+ References:
+ </p>
+ <ul>
+ <li><a
href="https://www.cve.org/CVERecord?id=CVE-2026-45205";>CVE-2026-45205</a></li>
+ <li><a
href="https://github.com/apache/commons-configuration/pull/634";>PR #634</a></li>
+ </ul>
+ </subsection>
</section>
<section name="Safe Deserialization">
<p>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/commons-configuration2-2.15.0-src/src/test/java/org/apache/commons/configuration2/io/TestCombinedLocationStrategy.java
new/commons-configuration2-2.15.1-src/src/test/java/org/apache/commons/configuration2/io/TestCombinedLocationStrategy.java
---
old/commons-configuration2-2.15.0-src/src/test/java/org/apache/commons/configuration2/io/TestCombinedLocationStrategy.java
2026-05-12 13:50:08.000000000 +0200
+++
new/commons-configuration2-2.15.1-src/src/test/java/org/apache/commons/configuration2/io/TestCombinedLocationStrategy.java
2026-05-21 14:58:19.000000000 +0200
@@ -26,9 +26,11 @@
import static org.mockito.Mockito.when;
import java.net.URL;
+import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.LinkedList;
+import java.util.Objects;
import org.apache.commons.configuration2.ConfigurationAssert;
import org.junit.jupiter.api.BeforeAll;
@@ -124,6 +126,25 @@
}
/**
+ * Tests that the constructor handles collections that throw NPE on
contains(null) (like ImmutableList).
+ */
+ @Test
+ void testInitCollectionThrowsNPEOnContainsNull() {
+ // Create a collection that throws NPE on contains(null) like
List.of() instance does
+ final Collection<FileLocationStrategy> collectionThatThrowsNPE = new
ArrayList<FileLocationStrategy>(Arrays.asList(getSubStrategies())) {
+ @Override
+ public boolean contains(final Object o) {
+ Objects.requireNonNull(o);
+ return super.contains(o);
+ }
+ };
+
+ // This should not throw NPE - the constructor should handle it
gracefully
+ final CombinedLocationStrategy strategy = new
CombinedLocationStrategy(collectionThatThrowsNPE);
+ checkSubStrategies(strategy);
+ }
+
+ /**
* Tests whether a defensive copy of the collection with sub strategies is
made.
*/
@Test
