I +1 this vote for an official BeanUtils 2.0.0 release. I am using it in Production as M1 for months now without issue.
On Tue, May 20, 2025 at 10:47 AM Zach Dove <zd...@ecrs.com.invalid> wrote: > Hello, > > I’d like to ask about the plans for an official release of BeanUtils2 > (2.0.0 final). We are tracking this for our migration to Java 21 and > JasperReports 7. > > The milestone releases (2.0.0-M1) are helpful, but is there a timeline or > roadmap for a stable, non-milestone release? > I'm referencing from > *https://commons.apache.org/proper/commons-beanutils/changes.html > <https://commons.apache.org/proper/commons-beanutils/changes.html>* . > > Mitigation for https://issues.apache.org/jira/browse/BEANUTILS-532 looks > a release was made through 'melloware' group as a non-Apache alternative to > swap 2.0.0-M1 to 2.0.0. > I've followed up with melloware on the issue of > https://github.com/Jaspersoft/jasperreports/issues/260 > > > Currently the lack of a vision for an official final release of BeanUtils2 > remains a concerning blocker for our migration of our software suite from > Java 11 to Java 21 and a blocker for continuing with Jasper Reports 7. > > > In addition, https://github.com/apache/commons-beanutils/security does > not contain any disclaimer disregarding a continuous concern within the > community for "security issue" Cx78f40514-81ff / sonatype-2024-3350 / > COLLECTIONS-701, revolving around the concerns of the changes made in > commons-collections4, 4.2, > > Https://github.com/apache/commons-collections/commit/1979a6e31067a18c9ede59ad4518f738512eba82#diff-8e53271d5d8299a76d43b0e3c81740fbe660083ae71c5bf2be63846d52156f23 > <https://github.com/apache/commons-collections/commit/1979a6e31067a18c9ede59ad4518f738512eba82#diff-8e53271d5d8299a76d43b0e3c81740fbe660083ae71c5bf2be63846d52156f23> > > > I took the time to look through the dependencies in commons-beanutils, > commons-beanutils2, commons-digester, collections 3.2 / > commons-collections4 and was unable to find SetUniqueList being used > across these components that directly impacts commons-beanutils > functionality & security. > > > In short, could you please advise / response on: > - The expected timeline or requirements for a stable/final BeanUtils2 > 2.0.0 release? > - Whether there are any remaining blockers or areas where the community > can assist? > - Any official position on the referenced security concern in beanutils > 1.9.x-1.10.x, given the current dependency structure? > > Best, > > *Zach Dove,* Software Developer, D2, Store Transactions > *P* 828.265.2907* | <https://www.ecrs.com>** www.ecrs.com > <https://www.ecrs.com>* > > * <https://www.ecrs.com> <https://www.ecrs.com>** <https://www.ecrs.com/>* > > * <https://hubs.li/Q02rFH810>* * <https://hubs.li/Q02rFH1C0>* * > <https://hubs.li/Q02rFGDm0>* * <https://hubs.li/Q02rFGPZ0>* > > * <https://hubs.li/Q03lHLjF0>* > > * <https://hubs.li/Q03kr_3k0>* > > -- ============================== Melloware melloware...@gmail.com http://melloware.com ==============================
