Hello, I’d like to ask about the plans for an official release of BeanUtils2 (2.0.0 final). We are tracking this for our migration to Java 21 and JasperReports 7.
The milestone releases (2.0.0-M1) are helpful, but is there a timeline or roadmap for a stable, non-milestone release? I'm referencing from https://commons.apache.org/proper/commons-beanutils/changes.html . Mitigation for https://issues.apache.org/jira/browse/BEANUTILS-532 looks a release was made through 'melloware' group as a non-Apache alternative to swap 2.0.0-M1 to 2.0.0. I've followed up with melloware on the issue of https://github.com/Jaspersoft/jasperreports/issues/260 Currently the lack of a vision for an official final release of BeanUtils2 remains a concerning blocker for our migration of our software suite from Java 11 to Java 21 and a blocker for continuing with Jasper Reports 7. In addition, https://github.com/apache/commons-beanutils/security does not contain any disclaimer disregarding a continuous concern within the community for "security issue" Cx78f40514-81ff / sonatype-2024-3350 / COLLECTIONS-701, revolving around the concerns of the changes made in commons-collections4, 4.2, Https://github.com/apache/commons-collections/commit/1979a6e31067a18c9ede59ad4518f738512eba82#diff-8e53271d5d8299a76d43b0e3c81740fbe660083ae71c5bf2be63846d52156f23<https://github.com/apache/commons-collections/commit/1979a6e31067a18c9ede59ad4518f738512eba82#diff-8e53271d5d8299a76d43b0e3c81740fbe660083ae71c5bf2be63846d52156f23> I took the time to look through the dependencies in commons-beanutils, commons-beanutils2, commons-digester, collections 3.2 / commons-collections4 and was unable to find SetUniqueList being used across these components that directly impacts commons-beanutils functionality & security. In short, could you please advise / response on: - The expected timeline or requirements for a stable/final BeanUtils2 2.0.0 release? - Whether there are any remaining blockers or areas where the community can assist? - Any official position on the referenced security concern in beanutils 1.9.x-1.10.x, given the current dependency structure? Best, Zach Dove, Software Developer, D2, Store Transactions P 828.265.2907 |<https://www.ecrs.com> www.ecrs.com<https://www.ecrs.com> <https://www.ecrs.com> <https://www.ecrs.com>[cid:9f9efc75-29d6-4cf4-a11b-f8ae433af242]<https://www.ecrs.com/> [cid:a566bae0-bc78-4a6c-b57f-9aa985252cd0]<https://hubs.li/Q02rFH810> [cid:37c2ecb4-36a0-4f39-97ab-c18a15b39e30] <https://hubs.li/Q02rFH1C0> [cid:a1c7d70d-a4b1-4820-a229-585c8aab2fba] <https://hubs.li/Q02rFGDm0> [cid:2d01f5f2-4d44-4c7e-b497-621da489b579] <https://hubs.li/Q02rFGPZ0> [cid:02657695-98a9-4366-8f73-f0c5b7292c47]<https://hubs.li/Q03lHLjF0> [cid:ff2d9747-ebed-496d-9a8d-63fa65477b03]<https://hubs.li/Q03kr_3k0>
