Author: ggregory
Date: Tue Jan 7 13:58:26 2025
New Revision: 74023
Log:
Bump version from 2.0.0-SNAPSHOT to 2.0.0-M1
Modified:
release/commons/beanutils/RELEASE-NOTES.txt
Modified: release/commons/beanutils/RELEASE-NOTES.txt
==============================================================================
--- release/commons/beanutils/RELEASE-NOTES.txt (original)
+++ release/commons/beanutils/RELEASE-NOTES.txt Tue Jan 7 13:58:26 2025
@@ -1,374 +1,471 @@
- Apache Commons BeanUtils 1.10.0
- RELEASE NOTES
-
-The Apache Commons BeanUtils team is pleased to announce the release of Apache
Commons BeanUtils 1.10.0
-
-Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around
reflection and introspection.
-
-This is a maintenance release, requires Java 8.
-
-Changes in this version include:
-
-Fixed Bugs:
-o BEANUTILS-541: FluentPropertyBeanIntrospector caches corrupted writeMethod
(1.x backport) #69. Thanks to Sergey Chernov.
-o Replace internal use of Locale.ENGLISH with Locale.ROOT.
Thanks to Gary Gregory.
-o Replace Maven CLIRR plugin with JApiCmp. Thanks to Gary
Gregory.
-o Port to Java 1.4 Throwable APIs (!). Thanks to Gary Gregory.
-o Fix Javadoc generation on Java 8, 17, and 21. Thanks to Gary
Gregory.
-o AbstractArrayConverter.parseElements(String) now returns a
List<String> instead of a raw List. Thanks to Gary Gregory.
-
-Changes:
-o Bump org.apache.commons:commons-parent from 47 to 78. Thanks
to Gary Gregory.
-o Bump Java requirement from Java 6 to 8. Thanks to Gary
Gregory.
-o Bump junit:junit from 4.12 to 4.13.2. Thanks to Gary Gregory.
-o Bump JUnit from 4.x to 5.x "vintage". Thanks to Gary Gregory.
-o Bump commons-logging:commons-logging from 1.2 to 1.3.4.
Thanks to Gary Gregory.
-o Deprecate BeanUtilsBean.initCause(Throwable, Throwable) for
removal, use Throwable.initCause(Throwable). Thanks to Gary Gregory.
-o Deprecate BeanUtils.initCause(Throwable, Throwable) for
removal, use Throwable.initCause(Throwable). Thanks to Gary Gregory.
-
-
-Historical list of changes:
https://commons.apache.org/proper/commons-beanutils//changes-report.html
-
-For complete information on Apache Commons BeanUtils, including instructions
on how to submit bug reports,
-patches, or suggestions for improvement, see the Apache Commons BeanUtils
website:
-
-https://commons.apache.org/proper/commons-beanutils/
-
-Download it from
https://commons.apache.org/proper/commons-beanutils/download_bcel.cgi
-
-Have fun!
--Apache Commons BCEL team
-
-Feedback
---------
-Open source works best when you give feedback:
-
- https://commons.apache.org/beanutils
-
-Please direct all bug reports to JIRA:
-
- https://issues.apache.org/jira/browse/BEANUTILS
-
-Or subscribe to the commons-user mailing list
-
-The Apache Commons Team
-
------------------------------------------------------------------------------
- Apache Commons BeanUtils 1.9.4
- RELEASE NOTES
-
-The Apache Commons BeanUtils team is pleased to announce the release of Apache
Commons BeanUtils 1.9.4
-
-Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around
reflection and introspection.
-
-The primary reason for this release is a bugfix for CVE-2014-0114. More
specifically, our goal with
-BEANUTILS-520 is to set the default behaviour of the BeanUtilsBean to not
allow class level access. The goal
-in doing this now is to bring 1.9.X into alignment with the same behaviour of
the 2.X version line in
-regards to security.
-
-If one would like to opt out of the default behaviour, one could follow the
example set out in the
-test class available in
src/test/java/org/apache/commons/beanutils/bugs/Jira520TestCase.java.
-
-Changes in this version include:
-
-Fixed Bugs:
-o BEANUTILS-520: BeanUtils mitigation of CVE-2014-0114. (CVE-2019-10086 for
commons-beanutils). Thanks to Melloware.
-
-
-Historical list of changes:
https://commons.apache.org/proper/commons-beanutils/changes-report.html
-
-For complete information on Apache Commons BeanUtils, including instructions
on how to submit bug reports,
-patches, or suggestions for improvement, see the Apache Apache Commons
BeanUtils website:
-
-https://commons.apache.org/proper/commons-beanutils/
-
------------------------------------------------------------------------------
-
- Apache Commons BeanUtils 1.9.3
- RELEASE NOTES
-
-The Apache Commons team is pleased to announce the release of Apache
-Commons BeanUtils 1.9.3
-
-Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around
-reflection and introspection.
-
-This is a bug fix release, which also improves the tests for building on Java
-8.
-
-Note that Java 8 and later no longer support indexed bean properties on
-java.util.List, only on arrays like String[]. (BEANUTILS-492). This affects
-PropertyUtils.getPropertyType() and PropertyUtils.getPropertyDescriptor();
-their javadoc have therefore been updated to reflect this change in the JDK.
-
-
-Changes in this version include:
-
-Fixed Bugs:
-
-* BEANUTILS-477: Changed log level in FluentPropertyBeanIntrospector
-* BEANUTILS-492: Fixed exception when setting indexed properties on DynaBeans.
- Thanks to Bernhard Seebass.
-* BEANUTILS-470: Precision lost when converting BigDecimal Thanks to Tommy
- Tynjä.
-* BEANUTILS-465: Indexed List Setters fixed. Thanks to Daniel Atallah.
-
-Changes:
-* BEANUTILS-433: Update dependency from JUnit 3.8.1 to 4.12.
- Thanks to Benedikt Ritter, Gary Gregory.
-* BEANUTILS-469: Update commons-logging from 1.1.1 to 1.2.
- Thanks to Gary Gregory.
-* BEANUTILS-474: FluentPropertyBeanIntrospector does not use the same naming
- algorithm as DefaultBeanIntrospector. Thanks to Michael Grove.
-* BEANUTILS-490: Update Java requirement from Java 5 to 6.
- Thanks to Gary Gregory.
-* BEANUTILS-482: Update commons-collections from 3.2.1 to 3.2.2
- (CVE-2015-4852). Thanks to Gary Gregory.
-* BEANUTILS-490: Update java requirement to Java 6. Thanks to Gary Gregory.
-* BEANUTILS-492: IndexedPropertyDescriptor tests now pass on Java 8.
- Thanks to Stian Soiland-Reyes.
-* BEANUTILS-495: DateConverterTestBase fails on M/d/yy in Java 9.
- Thanks to Stian Soiland-Reyes.
-* BEANUTILS-496: testGetDescriptorInvalidBoolean fails on Java 9.
- Thanks to Stian Soiland-Reyes.
-
-
-Historical list of changes:
http://commons.apache.org/proper/commons-beanutils/changes-report.html
-
-For complete information on Apache Commons BeanUtils, including instructions on
-how to submit bug reports, patches, or suggestions for improvement, see the
-Apache Apache Commons BeanUtils website:
-
-https://commons.apache.org/proper/commons-beanutils/
-
------------------------------------------------------------------------------
-
- Commons BeanUtils Package
- Version 1.9.2
- Release Notes
-
-INTRODUCTION:
-============
-
-This document contains the release notes for this version of the Commons
-BeanUtils package, and highlights changes since the previous version.
-
-For more information on Commons BeanUtils, see
-o http://commons.apache.org/beanutils/
-
-Release 1.9.2 mainly addresses a potential security issue when accessing
-properties in an uncontrolled way. In a nutshell, if an application that uses
-Commons BeanUtils passes property paths from an external source directly to
-the getProperty() method of BeanUtilsBean, an attacker can access the class
-loader via the class property available on all Java objects.
-
-In version 1.9.2 now a special BeanIntrospector class was added which allows
-suppressing this property. Note that this BeanIntrospector is NOT enabled by
-default! Commons BeanUtils is a low-level library, and on this layer it cannot
-be decided whether access to a certain property is legal or not. Therefore,
-an application has to activate this suppressing BeanIntrospector explicitly.
-This can be done with the following lines of code:
-
-BeanUtilsBean bub = new BeanUtilsBean();
-bub.getPropertyUtils().addBeanIntrospector(
- SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
-
-Now all access to properties has to be done via the specially configured
-BeanUtilsBean instance. More information about this issue can be found at
-https://issues.apache.org/jira/browse/BEANUTILS-463 or in section 2.5 of the
-user's guide.
-
-BUGFIXES in version 1.9.2
-=========================
-* [BEANUTILS-458]
- BaseLocaleConverter.checkConversionResult() no longer throws a
- ConversionException if the result of a conversion is null.
-
-New features in version 1.9.2
-=============================
-* [BEANUTILS-463]
- Added new SuppressPropertiesBeanIntrospector class to deal with a potential
- class loader vulnerability.
-
------------------------------------------------------------------------------
-
- Release Notes for version 1.9.1
-
-Release 1.9.1 is a bug fix release which addresses a problem with the new
-feature of custom introspection introduced with release 1.9.0. It is fully
-binary compatible with the previous release. The minimum required Java version
-is 1.5.
-
-BUGFIXES in version 1.9.1
-=========================
-* [BEANUTILS-456]
- For PropertyDescriptors obtained via custom introspection now additional
- information is stored to prevent that write methods are lost during
- garbage collection.
-
------------------------------------------------------------------------------
-
- Release Notes for version 1.9.0
-
-Release 1.9.0 contains some bug fixes and improvements that have accumulated
-after the 1.8.3 release. The most obvious change is that the new version now
-requires JDK 1.5 or higher, and that language features introduced with Java 5
-(mainly generics) are used. A new feature has been introduced, too: the support
-for customizing bean introspection.
-
-Compatibility with 1.8.3
-========================
-Adding generics to the BeanUtils API has been done in a backwards compatible
-way. This means that after type erasure the resulting classes look the same as
-in the previous version. A drawback of this approach is that sometimes it is
-not possible to use the logically correct type parameters because then
-backwards compatibility would be broken. One example is the BeanMap class: The
-class is now a Map<Object, Object> while its keys actually are strings.
-However, implementing Map<String, Object> would change the signatures of some
-methods in an incompatible way. More details about limitations of the
-generification can be found at
-https://issues.apache.org/jira/browse/BEANUTILS-452
-
-One exception from the compatibility rule is the ResultSetIterator class which
-now implements the Iterator<DynaBean> interface. This causes a change in the
-return value of its next() method. ResultSetIterator is used internally as the
-iterator implementation within ResultSetDynaClass (it is probably a mistake
that
-it is public). So chances are minimal that this change affects existing code.
-
-Another change which may affect compatibility is [BEANUTILS-379] (details can
-be found at https://issues.apache.org/jira/browse/BEANUTILS-379). Older
-versions of BeanUtils contained some classes that were copied from Commons
-Collections. These classes have now been removed, and a dependency to Commons
-Collections has been added; the collections jar now has to be contained in the
-classpath, too.
-
-Except for the change on ResultSetIterator and the additional dependency to
-Commons Collections, Commons BeanUtils 1.9.0 is fully binary compatible with
-the previous version 1.8.3.
-
-Changes on Converters
-=====================
-The convert() method in the Converter interface now uses a type parameter in
-the following way:
-
- <T> T convert(Class<T> type, Object value);
-
-This makes it possible to access the converter's result in a type-safe way.
-Applying generics in this way revealed some inconsistencies in the Converter
-implementations. There were situations in which converters could return a
-result object of a different type as was requested. This was not a problem
-before because the result type was just Object. Now the compiler complains if
-a converter's result is not compatible with the desired target type.
-
-Because of that Converter implementations have been made more strict. A
-converter now checks the passed in target type, and if it cannot handle it,
-throws a ConversionException. This prevents unexpected results and makes
-converters more reliable (it could be considered a bug that a converter returns
-a result object of a different data type as the passed in target type). In a
-typical scenario, when converters are accessed via ConvertUtils, this change
-should not cause any problems because the converters are only called for the
-data types they have been registered for. But if converters are used directly,
-they might now throw ConversionExceptions when they did not in a previous
-version.
-
-BUGFIXES in version 1.9.0
-=========================
-* [BEANUTILS-454]
- BeanUtilsBean.copyProperties() no longer throws a ConversionException for
- null properties of certain data types. This fixes a regression introduced in
- version 1.8.0. The issue is related to [BEANUTILS-387].
-* [BEANUTILS-411]
- BeanUtilsBean.setProperty throws IllegalArgumentException if getter of nested
- property returns null.
-* [BEANUTILS-408]
- MethodUtils.invokeMethod() throws NullPointerException when args==null.
-* [BEANUTILS-426]
- ConstructorUtils.invokeConstructor(Class klass, Object arg) throws
- NullPointerException when arg==null.
-* [BEANUTILS-380]
- BeanMap methods should initialize the root cause of exceptions that are
- thrown when running on JDK 1.4+.
-* [BEANUTILS-379]
- Remove copied Collection classes.
-* [BEANUTILS-378]
- BeanMap does not work in osgi (fixed by BEANUTILS-378).
-* [BEANUTILS-381]
- MethodUtils getMatchingAccessibleMethod() does not correctly handle
- inheritance and method overloading.
-
-New features in version 1.9.0
-=============================
-* [BEANUTILS-425]
- Support customization of introspection mechanism.
-* [BEANUTILS-428]
- Provide a BeanIntrospector implementation which supports properties in a
- fluent API.
-* [BEANUTILS-455]
- WrapDynaBeans can now be configured to use a specific instance of
- PropertyUtilsBean for introspection or property access.
-
-Other changes in version 1.9.0
-==============================
-* [BEANUTILS-452]
- Add generics.
-* [BEANUTILS-449]
- LocaleConverters do not take the target type into account.
-* [BEANUTILS-448]
- LocaleConverters do not check their default value.
-* [BEANUTILS-447]
- LazyDynaList.toArray() is not conform to the contract defined by the
- Collection interface.
-* [BEANUTILS-446]
- Some of the converters ignore the passed in target type.
-* [BEANUTILS-445]
- Converters can return an invalid result object if a default value is set.
-* [BEANUTILS-441]
- Replace UnmodifiableSet.decorate with Collections.unModifiableSet.
-* [BEANUTILS-436]
- Replace package.html with package-info.java.
-* [BEANUTILS-438]
- Add @Deprecated and @Override Annotations.
-* [BEANUTILS-437]
- Replace Date and Revision SVN keywords with Id.
-* [BEANUTILS-431]
- Remove @author tags and move missing authors to pom.xml.
-* [BEANUTILS-432]
- Switch to Java 1.5.
-* [BEANUTILS-429]
- Delete trailing white spaces and white spaces on empty lines from all files.
-* [BEANUTILS-427]
- Configure Checkstyle to check for trailing white spaces and white spaces on
- empty lines.
-
------------------------------------------------------------------------------
-
- Release Notes for version 1.8.3
-
-Compatibility with 1.8.2
-========================
-BeanUtils 1.8.3 is binary compatible release with Beanutils 1.8.2, containing
only bug fixes.
-
-BeanUtils 1.8.3 requires a minimum of JDK 1.3.
-
-Memory Leak
-===========
-A memory leak was found in BeanUtils 1.7.0 (see BEANUTILS-291) which was fixed
-in BeanUtils 1.8.0 for JDK 1.5+.
-
-Testing of BeanUtils 1.8.1 revealed that the leak still appears to exist
-in IBM's JDK 1.6 implementation.
-
-
-see http://issues.apache.org/jira/browse/BEANUTILS-291
- http://issues.apache.org/jira/browse/BEANUTILS-366
-
-
-BUGS FIXED:
-===========
-
-The following is a list of the bugs fixed in this release, with their Jira
issue number:
-
- * [BEANUTILS-373] - MethodUtils is not thread safe because WeakFastHashMap
which uses WeakHashMap is not thread-safe
- * [BEANUTILS-371] - Add constructors which have useColumnLabel parameter to
ResultSetDynaClass and RowSetDynaClass
-
-
+Apache Commons BeanUtils 2.0.0-M1
+Release Notes
+
+The Apache Commons BeanUtils team is pleased to announce the release of Apache
Commons BeanUtils 2.0.0-M1
+
+Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around
reflection and introspection.
+
+This is a major release, requires Java 8.
+
+Changes in this version include:
+
+New features:
+o BEANUTILS-530: New converters for Java 8 Time classes #13. Thanks to
Melloware, Matt Sicker, Gary Gregory.
+o BEANUTILS-346: New converter for Enum. Thanks to Melloware.
+o Add github/codeql-action #118. Thanks to Dependabot, Gary
Gregory.
+o Add and use ConversionException.format(String, Object...).
Thanks to Dependabot, Gary Gregory.
+o Add Converters for additional types: Color, Dimension,
InetAddress, Locale, Pattern, Point #47. Thanks to Seth Falco, Gary Gregory.
+o Make PropertyUtilsBean.getReadMethod(Class,
PropertyDescriptor) public #232. Thanks to Sergey Chernov, Gary Gregory.
+
+Fixed Bugs:
+o BEANUTILS-402: Double-Checked Locking anti pattern in WeakFastHashMap.
Thanks to Melloware.
+o Refactor logger usage #72. Thanks to Andrei Korzhevskii,
Gary Gregory.
+o Migrate to JUnit 5 #93, #283, #284, #285, #287. Thanks to
SethFalco, Steve Bosman, Gary Gregory.
+o Fix SpotBugs [ERROR] Medium:
org.apache.commons.beanutils2.BasicDynaClass.constructorTypes should be both
final and package protected [org.apache.commons.beanutils2.BasicDynaClass] At
BasicDynaClass.java:[line 95] MS_FINAL_PKGPROTECT. Thanks to Gary Gregory.
+o Fix SpotBugs [ERROR] Medium: Load of known null value in
org.apache.commons.beanutils2.converters.AbstractConverter.convert(Class,
Object) [org.apache.commons.beanutils2.converters.AbstractConverter] At
AbstractConverter.java:[line 163] NP_LOAD_OF_KNOWN_NULL_VALUE. Thanks to Gary
Gregory.
+o Fix SpotBugs [ERROR] Medium: Unused public or protected
field: org.apache.commons.beanutils2.WrapDynaClass.descriptors
[org.apache.commons.beanutils2.WrapDynaClass] In WrapDynaClass.java
UUF_UNUSED_PUBLIC_OR_PROTECTED_FIELD. Thanks to Gary Gregory.
+o Fix SpotBugs [ERROR] Medium:
org.apache.commons.beanutils2.converters.ArrayConverter.setAllowedChars(char[])
may expose internal representation by storing an externally mutable object into
ArrayConverter.allowedChars
[org.apache.commons.beanutils2.converters.ArrayConverter] At
ArrayConverter.java:[line 202] EI_EXPOSE_REP2. Thanks to Gary Gregory.
+o Fix SpotBugs [ERROR] Medium:
org.apache.commons.beanutils2.converters.DateTimeConverter.setPatterns(String[])
may expose internal representation by storing an externally mutable object
into DateTimeConverter.patterns
[org.apache.commons.beanutils2.converters.DateTimeConverter] At
DateTimeConverter.java:[line 204] EI_EXPOSE_REP2. Thanks to Gary Gregory.
+o Fix SpotBugs [ERROR] Medium:
org.apache.commons.beanutils2.ConversionException.getCause() may expose
internal representation by returning ConversionException.cause
[org.apache.commons.beanutils2.ConversionException] At
ConversionException.java:[line 83] EI_EXPOSE_REP. Thanks to Gary Gregory.
+o Fix SpotBugs [ERROR] Medium: new
org.apache.commons.beanutils2.ConversionException(String, Throwable) may expose
internal representation by storing an externally mutable object into
ConversionException.cause [org.apache.commons.beanutils2.ConversionException]
At ConversionException.java:[line 53] EI_EXPOSE_REP2. Thanks to Gary Gregory.
+o Fix SpotBugs [ERROR] Medium: new
org.apache.commons.beanutils2.ConversionException(Throwable) may expose
internal representation by storing an externally mutable object into
ConversionException.cause [org.apache.commons.beanutils2.ConversionException]
At ConversionException.java:[line 65] EI_EXPOSE_REP2. Thanks to Gary Gregory.
+o Fix SpotBugs [ERROR] Medium:
org.apache.commons.beanutils2.converters.DateTimeConverter.getPatterns() may
expose internal representation by returning DateTimeConverter.patterns
[org.apache.commons.beanutils2.converters.DateTimeConverter] At
DateTimeConverter.java:[line 189] EI_EXPOSE_REP. Thanks to Gary Gregory.
+o Fix SpotBugs [ERROR] Medium:
org.apache.commons.beanutils2.WrapDynaClass.getDynaProperties() may expose
internal representation by returning WrapDynaClass.properties
[org.apache.commons.beanutils2.WrapDynaClass] At WrapDynaClass.java:[line 172]
EI_EXPOSE_REP. Thanks to Gary Gregory.
+o Replace Commons Collections Test Framework 3.2.2 with
4.5.0-M3 #40. Thanks to Melloware, sebbASF, Gary Gregory, Michal Landsman.
+o Provide error index in ConversionException message in
DateTimeConverter.parse(Class, Class, String, DateFormat). Thanks to Gary
Gregory.
+o Avoid possible NPE in DateTimeConverter.parse(Class, Class,
String). Thanks to Gary Gregory.
+o Annotate Converter with @FunctionalInterface. Thanks to
Claude Warren, Gary Gregory.
+o BEANUTILS-564: Fix JDK 21 CI failure due to locale changes #201. Thanks to
SingingBush.
+o Fix warnings and To-Dos #92. Thanks to Seth Falco.
+o Replace internal use of Locale.ENGLISH with Locale.ROOT.
Thanks to Gary Gregory.
+o BEANUTILS-541: FluentPropertyBeanIntrospector caches corrupted writeMethod
(2.x) #68. Thanks to Sergey Chernov.
+
+Changes:
+o BEANUTILS-503: Change packaging from org.apache.commons.beanutils to
org.apache.commons.beanutils2. Thanks to Gary Gregory.
+o BEANUTILS-505: Add missing serialVersionUID to Serializable classes. Thanks
to Gary Gregory.
+o BEANUTILS-512: Add Automatic-Module-Name entry to MANIFEST.MF. Thanks to
Gary Gregory.
+o BEANUTILS-514: Remove deprecated code for 2.0.0. Thanks to Gary Gregory.
+o BEANUTILS-509: WeakHashmap enters into infinite loop in WrapDynaClass.java.
Thanks to sunil, Akshay Gehi.
+o BEANUTILS-520: BeanUtils2 mitigate CVE-2014-0114. Thanks to Melloware.
+o BEANUTILS-527: Convert Collections4 to java.util.function. #8. Thanks to
Melloware, Matt Sicker, Gary Gregory.
+o BEANUTILS-528: New converters for UUID, URI, and Path #10. Thanks to
Melloware, Matt Sicker, Gary Gregory.
+o BEANUTILS-529: Log at the debug level instead of info. Thanks to Gary
Gregory.
+o BEANUTILS-537: Fix typos; fix error in Javadoc; performance fix; fix code
smells #25. Thanks to XenoAmess, Gary Gregory.
+o Bump actions/cache from 2 to 3.0.11 #77, #89, #103, #111.
#137, #141. Thanks to Dependabot, Gary Gregory.
+o Update actions/checkout from 2.3.1 to 3.0.2 #33, #108.
Thanks to Dependabot, Gary Gregory.
+o Update actions/setup-java from 1.4.0 to 3.6.0 #35, #114,
#144. Thanks to Dependabot, Gary Gregory.
+o Bump actions/upload-artifact from 3.1.0 to 3.1.1 #143.
Thanks to Dependabot.
+o BEANUTILS-522: Bump Apache Commons Collections from 4.3 to 4.4. Thanks to
Gary Gregory.
+o BEANUTILS-504: Bump Java from 6 to 7. Thanks to Gary Gregory.
+o BEANUTILS-515: Bump Java from 7 to 8. Thanks to Gary Gregory.
+o Bump junit-jupiter from 5.7.2 to 5.9.1 #113, #126, #134.
Thanks to Dependabot.
+o Bump JUnit from 4 to 5.9.1 vintage, #78, #112, #127, #136.
Thanks to Gary Gregory, Dependabot.
+o Bump Jacoco from 0.8.4 to 0.8.8. Thanks to Gary Gregory.
+o Bump JApiCmp from 0.12.0 to 0.17.1, #46, #110, #130, #146.
Thanks to Gary Gregory, Dependabot.
+o Bump maven-surefire-plugin from 2.22.1 to 3.0.0-M7, #116,
#122. Thanks to Gary Gregory, Dependabot.
+o Bump maven-checkstyle-plugin from 3.0.0 to 3.2.0, #76, #129.
Thanks to Gary Gregory, Dependabot.
+o Bump maven-pmd-plugin from 3.12.0 to 3.19.0, #120, #128,
#131. Thanks to Gary Gregory, Dependabot.
+o Bump BC version from 1.9.3 to 1.9.4. Thanks to Gary Gregory.
+o Bump org.apache.commons:commons-parent from 50 to 74 #229,
#245, #254, #264, #274, #279. Thanks to Gary Gregory, Dependabot.
+o Bump biz.aQute.bndlib from 5.1.0 to 6.4.1 #29, #45, #79,
#109, #119, #121, #147, #175. Thanks to Dependabot.
+o Jacoco 0.8.6 for JDK15 support #55. Thanks to melloware.
+o Updated URLConverterTestCase to run without Internet access
#50. Thanks to SethFalco.
+o Don't initialize variables to defaults #71. Thanks to Arturo
Bernal.
+o Bump spotbugs-maven-plugin from 4.5.3.0 to 4.6.0.0. Thanks
to Dependabot.
+o Bump spotbugs from 4.5.3 to 4.6.0. Thanks to Dependabot.
+o Bump org.apache.commons:commons-lang3 from 3.12.0 to 3.17.0
#263, #269, #280. Thanks to Gary Gregory, Dependabot.
+o Bump commons-logging:commons-logging from 1.2 to 1.3.4 #226,
#246, #259, #275. Thanks to Gary Gregory, Dependabot.
+o Bump org.apache.commons:commons-parent from 74 to 78 #291,
#295, #299, #306. Thanks to Gary Gregory, Dependabot.
+
+Removed:
+o BEANUTILS-527: Removed Commons Collections dependency. #8. Thanks to
Melloware, Matt Sicker, Gary Gregory.
+o Removed BeanUtilsBean2, use BeanUtilsBean. BeanUtilsBean2
functionality is now in BeanUtilsBean.
+ Previous BeanUtilsBean functionality for those methods is no
longer supported. Thanks to Gary Gregory, Niall Pemberton.
+o Removed ConvertUtilsBean2, use ConvertUtilsBean.
ConvertUtilsBean2 functionality is now in ConvertUtilsBean.
+ Previous ConvertUtilsBean functionality for those methods is
no longer supported. Thanks to Gary Gregory, Niall Pemberton.
+o Do not implement Serializable. Thanks to Gary Gregory.
+
+Historical list of changes:
https://commons.apache.org/proper/commons-beanutils/changes-report.html
+
+For complete information on Apache Commons BeanUtils, including instructions
on how to submit bug reports,
+patches, or suggestions for improvement, see the Apache Commons BeanUtils
website:
+
+https://commons.apache.org/proper/commons-beanutils/
+
+-----------------------------------------------------------------------------
+
+Apache Commons BeanUtils 1.10.0
+Release Notes
+
+
+The Apache Commons BeanUtils team is pleased to announce the release of Apache
Commons BeanUtils 1.10.0
+
+Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around
reflection and introspection.
+
+This is a maintenance release and requires Java 8.
+
+Changes in this version include:
+
+Fixed Bugs:
+o BEANUTILS-541: FluentPropertyBeanIntrospector caches corrupted writeMethod
(1.x backport) #69. Thanks to Sergey Chernov.
+o Replace internal use of Locale.ENGLISH with Locale.ROOT.
Thanks to Gary Gregory.
+o Replace Maven CLIRR plugin with JApiCmp. Thanks to Gary
Gregory.
+o Port to Java 1.4 Throwable APIs (!). Thanks to Gary Gregory.
+o Fix Javadoc generation on Java 8, 17, and 21. Thanks to Gary
Gregory.
+o AbstractArrayConverter.parseElements(String) now returns a
List<String> instead of a raw List. Thanks to Gary Gregory.
+
+Changes:
+o Bump org.apache.commons:commons-parent from 47 to 78. Thanks
to Gary Gregory.
+o Bump Java requirement from Java 6 to 8. Thanks to Gary
Gregory.
+o Bump junit:junit from 4.12 to 4.13.2. Thanks to Gary Gregory.
+o Bump JUnit from 4.x to 5.x "vintage". Thanks to Gary Gregory.
+o Bump commons-logging:commons-logging from 1.2 to 1.3.4.
Thanks to Gary Gregory.
+o Deprecate BeanUtilsBean.initCause(Throwable, Throwable) for
removal, use Throwable.initCause(Throwable). Thanks to Gary Gregory.
+o Deprecate BeanUtils.initCause(Throwable, Throwable) for
removal, use Throwable.initCause(Throwable). Thanks to Gary Gregory.
+
+
+Historical list of changes:
https://commons.apache.org/proper/commons-beanutils//changes-report.html
+
+For complete information on Apache Commons BeanUtils, including instructions
on how to submit bug reports,
+patches, or suggestions for improvement, see the Apache Commons BeanUtils
website:
+
+https://commons.apache.org/proper/commons-beanutils/
+
+Download it from
https://commons.apache.org/proper/commons-beanutils/download_bcel.cgi
+
+Have fun!
+-Apache Commons BCEL team
+
+Feedback
+--------
+Open source works best when you give feedback:
+
+ https://commons.apache.org/beanutils
+
+Please direct all bug reports to JIRA:
+
+ https://issues.apache.org/jira/browse/BEANUTILS
+
+Or subscribe to the commons-user mailing list
+
+The Apache Commons Team
+
+-----------------------------------------------------------------------------
+Apache Commons BeanUtils 1.9.4
+Release Notes
+
+
+The Apache Commons BeanUtils team is pleased to announce the release of Apache
Commons BeanUtils 1.9.4
+
+Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around
reflection and introspection.
+
+The primary reason for this release is a bugfix for CVE-2014-0114. More
specifically, our goal with
+BEANUTILS-520 is to set the default behaviour of the BeanUtilsBean to not
allow class level access. The goal
+in doing this now is to bring 1.9.X into alignment with the same behaviour of
the 2.X version line in
+regards to security.
+
+If one would like to opt out of the default behaviour, one could follow the
example set out in the
+test class available in
src/test/java/org/apache/commons/beanutils/bugs/Jira520TestCase.java.
+
+Changes in this version include:
+
+Fixed Bugs:
+o BEANUTILS-520: BeanUtils mitigation of CVE-2014-0114. (CVE-2019-10086 for
commons-beanutils). Thanks to Melloware.
+
+
+Historical list of changes:
https://commons.apache.org/proper/commons-beanutils/changes-report.html
+
+For complete information on Apache Commons BeanUtils, including instructions
on how to submit bug reports,
+patches, or suggestions for improvement, see the Apache Apache Commons
BeanUtils website:
+
+https://commons.apache.org/proper/commons-beanutils/
+
+-----------------------------------------------------------------------------
+Apache Commons BeanUtils 1.9.3
+Release Notes
+
+
+The Apache Commons team is pleased to announce the release of Apache
+Commons BeanUtils 1.9.3
+
+Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around
+reflection and introspection.
+
+This is a bug fix release, which also improves the tests for building on Java
+8.
+
+Note that Java 8 and later no longer support indexed bean properties on
+java.util.List, only on arrays like String[]. (BEANUTILS-492). This affects
+PropertyUtils.getPropertyType() and PropertyUtils.getPropertyDescriptor();
+their javadoc have therefore been updated to reflect this change in the JDK.
+
+
+Changes in this version include:
+
+Fixed Bugs:
+
+* BEANUTILS-477: Changed log level in FluentPropertyBeanIntrospector
+* BEANUTILS-492: Fixed exception when setting indexed properties on DynaBeans.
+ Thanks to Bernhard Seebass.
+* BEANUTILS-470: Precision lost when converting BigDecimal Thanks to Tommy
+ Tynjä.
+* BEANUTILS-465: Indexed List Setters fixed. Thanks to Daniel Atallah.
+
+Changes:
+* BEANUTILS-433: Update dependency from JUnit 3.8.1 to 4.12.
+ Thanks to Benedikt Ritter, Gary Gregory.
+* BEANUTILS-469: Update commons-logging from 1.1.1 to 1.2.
+ Thanks to Gary Gregory.
+* BEANUTILS-474: FluentPropertyBeanIntrospector does not use the same naming
+ algorithm as DefaultBeanIntrospector. Thanks to Michael Grove.
+* BEANUTILS-490: Update Java requirement from Java 5 to 6.
+ Thanks to Gary Gregory.
+* BEANUTILS-482: Update commons-collections from 3.2.1 to 3.2.2
+ (CVE-2015-4852). Thanks to Gary Gregory.
+* BEANUTILS-490: Update java requirement to Java 6. Thanks to Gary Gregory.
+* BEANUTILS-492: IndexedPropertyDescriptor tests now pass on Java 8.
+ Thanks to Stian Soiland-Reyes.
+* BEANUTILS-495: DateConverterTestBase fails on M/d/yy in Java 9.
+ Thanks to Stian Soiland-Reyes.
+* BEANUTILS-496: testGetDescriptorInvalidBoolean fails on Java 9.
+ Thanks to Stian Soiland-Reyes.
+
+
+Historical list of changes:
http://commons.apache.org/proper/commons-beanutils/changes-report.html
+
+For complete information on Apache Commons BeanUtils, including instructions on
+how to submit bug reports, patches, or suggestions for improvement, see the
+Apache Apache Commons BeanUtils website:
+
+https://commons.apache.org/proper/commons-beanutils/
+
+-----------------------------------------------------------------------------
+Apache Commons BeanUtils 1.9.2
+Release Notes
+
+
+INTRODUCTION:
+============
+
+This document contains the release notes for this version of the Commons
+BeanUtils package, and highlights changes since the previous version.
+
+For more information on Commons BeanUtils, see
+o http://commons.apache.org/beanutils/
+
+Release 1.9.2 mainly addresses a potential security issue when accessing
+properties in an uncontrolled way. In a nutshell, if an application that uses
+Commons BeanUtils passes property paths from an external source directly to
+the getProperty() method of BeanUtilsBean, an attacker can access the class
+loader via the class property available on all Java objects.
+
+In version 1.9.2 now a special BeanIntrospector class was added which allows
+suppressing this property. Note that this BeanIntrospector is NOT enabled by
+default! Commons BeanUtils is a low-level library, and on this layer it cannot
+be decided whether access to a certain property is legal or not. Therefore,
+an application has to activate this suppressing BeanIntrospector explicitly.
+This can be done with the following lines of code:
+
+BeanUtilsBean bub = new BeanUtilsBean();
+bub.getPropertyUtils().addBeanIntrospector(
+ SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
+
+Now all access to properties has to be done via the specially configured
+BeanUtilsBean instance. More information about this issue can be found at
+https://issues.apache.org/jira/browse/BEANUTILS-463 or in section 2.5 of the
+user's guide.
+
+BUGFIXES in version 1.9.2
+=========================
+* [BEANUTILS-458]
+ BaseLocaleConverter.checkConversionResult() no longer throws a
+ ConversionException if the result of a conversion is null.
+
+New features in version 1.9.2
+=============================
+* [BEANUTILS-463]
+ Added new SuppressPropertiesBeanIntrospector class to deal with a potential
+ class loader vulnerability.
+
+-----------------------------------------------------------------------------
+Apache Commons BeanUtils 1.9.1
+Release Notes
+
+
+Release 1.9.1 is a bug fix release which addresses a problem with the new
+feature of custom introspection introduced with release 1.9.0. It is fully
+binary compatible with the previous release. The minimum required Java version
+is 1.5.
+
+BUGFIXES in version 1.9.1
+=========================
+* [BEANUTILS-456]
+ For PropertyDescriptors obtained via custom introspection now additional
+ information is stored to prevent that write methods are lost during
+ garbage collection.
+
+-----------------------------------------------------------------------------
+Apache Commons BeanUtils 1.9.0
+Release Notes
+
+
+Release 1.9.0 contains some bug fixes and improvements that have accumulated
+after the 1.8.3 release. The most obvious change is that the new version now
+requires JDK 1.5 or higher, and that language features introduced with Java 5
+(mainly generics) are used. A new feature has been introduced, too: the support
+for customizing bean introspection.
+
+Compatibility with 1.8.3
+========================
+Adding generics to the BeanUtils API has been done in a backwards compatible
+way. This means that after type erasure the resulting classes look the same as
+in the previous version. A drawback of this approach is that sometimes it is
+not possible to use the logically correct type parameters because then
+backwards compatibility would be broken. One example is the BeanMap class: The
+class is now a Map<Object, Object> while its keys actually are strings.
+However, implementing Map<String, Object> would change the signatures of some
+methods in an incompatible way. More details about limitations of the
+generification can be found at
+https://issues.apache.org/jira/browse/BEANUTILS-452
+
+One exception from the compatibility rule is the ResultSetIterator class which
+now implements the Iterator<DynaBean> interface. This causes a change in the
+return value of its next() method. ResultSetIterator is used internally as the
+iterator implementation within ResultSetDynaClass (it is probably a mistake
that
+it is public). So chances are minimal that this change affects existing code.
+
+Another change which may affect compatibility is [BEANUTILS-379] (details can
+be found at https://issues.apache.org/jira/browse/BEANUTILS-379). Older
+versions of BeanUtils contained some classes that were copied from Commons
+Collections. These classes have now been removed, and a dependency to Commons
+Collections has been added; the collections jar now has to be contained in the
+classpath, too.
+
+Except for the change on ResultSetIterator and the additional dependency to
+Commons Collections, Commons BeanUtils 1.9.0 is fully binary compatible with
+the previous version 1.8.3.
+
+Changes on Converters
+=====================
+The convert() method in the Converter interface now uses a type parameter in
+the following way:
+
+ <T> T convert(Class<T> type, Object value);
+
+This makes it possible to access the converter's result in a type-safe way.
+Applying generics in this way revealed some inconsistencies in the Converter
+implementations. There were situations in which converters could return a
+result object of a different type as was requested. This was not a problem
+before because the result type was just Object. Now the compiler complains if
+a converter's result is not compatible with the desired target type.
+
+Because of that Converter implementations have been made more strict. A
+converter now checks the passed in target type, and if it cannot handle it,
+throws a ConversionException. This prevents unexpected results and makes
+converters more reliable (it could be considered a bug that a converter returns
+a result object of a different data type as the passed in target type). In a
+typical scenario, when converters are accessed via ConvertUtils, this change
+should not cause any problems because the converters are only called for the
+data types they have been registered for. But if converters are used directly,
+they might now throw ConversionExceptions when they did not in a previous
+version.
+
+BUGFIXES in version 1.9.0
+=========================
+* [BEANUTILS-454]
+ BeanUtilsBean.copyProperties() no longer throws a ConversionException for
+ null properties of certain data types. This fixes a regression introduced in
+ version 1.8.0. The issue is related to [BEANUTILS-387].
+* [BEANUTILS-411]
+ BeanUtilsBean.setProperty throws IllegalArgumentException if getter of nested
+ property returns null.
+* [BEANUTILS-408]
+ MethodUtils.invokeMethod() throws NullPointerException when args==null.
+* [BEANUTILS-426]
+ ConstructorUtils.invokeConstructor(Class klass, Object arg) throws
+ NullPointerException when arg==null.
+* [BEANUTILS-380]
+ BeanMap methods should initialize the root cause of exceptions that are
+ thrown when running on JDK 1.4+.
+* [BEANUTILS-379]
+ Remove copied Collection classes.
+* [BEANUTILS-378]
+ BeanMap does not work in osgi (fixed by BEANUTILS-378).
+* [BEANUTILS-381]
+ MethodUtils getMatchingAccessibleMethod() does not correctly handle
+ inheritance and method overloading.
+
+New features in version 1.9.0
+=============================
+* [BEANUTILS-425]
+ Support customization of introspection mechanism.
+* [BEANUTILS-428]
+ Provide a BeanIntrospector implementation which supports properties in a
+ fluent API.
+* [BEANUTILS-455]
+ WrapDynaBeans can now be configured to use a specific instance of
+ PropertyUtilsBean for introspection or property access.
+
+Other changes in version 1.9.0
+==============================
+* [BEANUTILS-452]
+ Add generics.
+* [BEANUTILS-449]
+ LocaleConverters do not take the target type into account.
+* [BEANUTILS-448]
+ LocaleConverters do not check their default value.
+* [BEANUTILS-447]
+ LazyDynaList.toArray() is not conform to the contract defined by the
+ Collection interface.
+* [BEANUTILS-446]
+ Some of the converters ignore the passed in target type.
+* [BEANUTILS-445]
+ Converters can return an invalid result object if a default value is set.
+* [BEANUTILS-441]
+ Replace UnmodifiableSet.decorate with Collections.unModifiableSet.
+* [BEANUTILS-436]
+ Replace package.html with package-info.java.
+* [BEANUTILS-438]
+ Add @Deprecated and @Override Annotations.
+* [BEANUTILS-437]
+ Replace Date and Revision SVN keywords with Id.
+* [BEANUTILS-431]
+ Remove @author tags and move missing authors to pom.xml.
+* [BEANUTILS-432]
+ Switch to Java 1.5.
+* [BEANUTILS-429]
+ Delete trailing white spaces and white spaces on empty lines from all files.
+* [BEANUTILS-427]
+ Configure Checkstyle to check for trailing white spaces and white spaces on
+ empty lines.
+
+-----------------------------------------------------------------------------
+Apache Commons BeanUtils 1.8.3
+Release Notes
+
+Compatibility with 1.8.2
+========================
+BeanUtils 1.8.3 is binary compatible release with Beanutils 1.8.2, containing
only bug fixes.
+
+BeanUtils 1.8.3 requires a minimum of JDK 1.3.
+
+Memory Leak
+===========
+A memory leak was found in BeanUtils 1.7.0 (see BEANUTILS-291) which was fixed
+in BeanUtils 1.8.0 for JDK 1.5+.
+
+Testing of BeanUtils 1.8.1 revealed that the leak still appears to exist
+in IBM's JDK 1.6 implementation.
+
+
+see http://issues.apache.org/jira/browse/BEANUTILS-291
+ http://issues.apache.org/jira/browse/BEANUTILS-366
+
+
+BUGS FIXED:
+===========
+
+The following is a list of the bugs fixed in this release, with their Jira
issue number:
+
+ * [BEANUTILS-373] - MethodUtils is not thread safe because WeakFastHashMap
which uses WeakHashMap is not thread-safe
+ * [BEANUTILS-371] - Add constructors which have useColumnLabel parameter to
ResultSetDynaClass and RowSetDynaClass
