Hi Zach, There is no official or unofficial release date yet because I would like to get more community feedback before we set the API in stone for 2.0.0.
It would be painful if your port from 1.x to 2.x revealed issues requiring API changes that we couldn't make until 3.x. Would you use 2.0.0-M1 and report your findings? > blocker for our migration of our software suite from Java 11 to Java 21 I'm not sure what this has to do with BU as BU 1.x and 2.x are both tested against all Java LTS versions: 8, 11, 17, 21 (See GitHub). Issue https://issues.apache.org/jira/browse/BEANUTILS-532 is handled in 2.0.0-M1. WRT COLLECTIONS-701 ( https://github.com/apache/commons-collections/commit/1979a6e31067a18c9ede59ad4518f738512eba82#diff-8e53271d5d8299a76d43b0e3c81740fbe660083ae71c5bf2be63846d52156f23), this can only happen due to a programming error, and was fixed in 4.3. > The expected timeline or requirements for a stable/final BeanUtils2 2.0.0 release? See above, in brief, please port to 2.0.0-M1. > Whether there are any remaining blockers or areas where the community can assist? - Testing 2.0.0-M1 and/or 2.0.0-M2-SNAPSHOT in your environment would be the most helpful. - You can also see Jira and GitHub pull requests to see if there are open issues that would matter to you. > Any official position on the referenced security concern in beanutils 1.9.x-1.10.x, given the current dependency structure? If by security concern you mean https://issues.apache.org/jira/browse/BEANUTILS-532, this is addressed in BU 2.0.0-M1 and cannot be fixed in BU 1 since updating Commons Collections 3.x to 4.x would break binary compatibility. HTH, Gary On Tue, May 20, 2025 at 10:47 AM Zach Dove <zd...@ecrs.com.invalid> wrote: > Hello, > > I’d like to ask about the plans for an official release of BeanUtils2 > (2.0.0 final). We are tracking this for our migration to Java 21 and > JasperReports 7. > > The milestone releases (2.0.0-M1) are helpful, but is there a timeline or > roadmap for a stable, non-milestone release? > I'm referencing from > *https://commons.apache.org/proper/commons-beanutils/changes.html > <https://commons.apache.org/proper/commons-beanutils/changes.html>* . > > Mitigation for https://issues.apache.org/jira/browse/BEANUTILS-532 looks > a release was made through 'melloware' group as a non-Apache alternative to > swap 2.0.0-M1 to 2.0.0. > I've followed up with melloware on the issue of > https://github.com/Jaspersoft/jasperreports/issues/260 > > > Currently the lack of a vision for an official final release of BeanUtils2 > remains a concerning blocker for our migration of our software suite from > Java 11 to Java 21 and a blocker for continuing with Jasper Reports 7. > > > In addition, https://github.com/apache/commons-beanutils/security does > not contain any disclaimer disregarding a continuous concern within the > community for "security issue" Cx78f40514-81ff / sonatype-2024-3350 / > COLLECTIONS-701, revolving around the concerns of the changes made in > commons-collections4, 4.2, > > Https://github.com/apache/commons-collections/commit/1979a6e31067a18c9ede59ad4518f738512eba82#diff-8e53271d5d8299a76d43b0e3c81740fbe660083ae71c5bf2be63846d52156f23 > <https://github.com/apache/commons-collections/commit/1979a6e31067a18c9ede59ad4518f738512eba82#diff-8e53271d5d8299a76d43b0e3c81740fbe660083ae71c5bf2be63846d52156f23> > > > I took the time to look through the dependencies in commons-beanutils, > commons-beanutils2, commons-digester, collections 3.2 / > commons-collections4 and was unable to find SetUniqueList being used > across these components that directly impacts commons-beanutils > functionality & security. > > > In short, could you please advise / response on: > - The expected timeline or requirements for a stable/final BeanUtils2 > 2.0.0 release? > - Whether there are any remaining blockers or areas where the community > can assist? > - Any official position on the referenced security concern in beanutils > 1.9.x-1.10.x, given the current dependency structure? > > Best, > > *Zach Dove,* Software Developer, D2, Store Transactions > *P* 828.265.2907* | <https://www.ecrs.com>** www.ecrs.com > <https://www.ecrs.com>* > > * <https://www.ecrs.com> <https://www.ecrs.com>** <https://www.ecrs.com/>* > > * <https://hubs.li/Q02rFH810>* * <https://hubs.li/Q02rFH1C0>* * > <https://hubs.li/Q02rFGDm0>* * <https://hubs.li/Q02rFGPZ0>* > > * <https://hubs.li/Q03lHLjF0>* > > * <https://hubs.li/Q03kr_3k0>* > >
