Creating a PR in JasperReports runs... zero tests? Gary
On Tue, May 20, 2025 at 4:41 PM Melloware Inc <melloware...@gmail.com> wrote: > Note I have already submitted a JasperReports PR against BeanUtils 2.0.0-M1 > months ago but the author doesn't like its an M1. > > See: https://github.com/Jaspersoft/jasperreports/pull/488 > > On Tue, May 20, 2025 at 1:49 PM Gary Gregory <garydgreg...@gmail.com> > wrote: > > > Hi Zach, > > > > There is no official or unofficial release date yet because I would like > to > > get more community feedback before we set the API in stone for 2.0.0. > > > > It would be painful if your port from 1.x to 2.x revealed issues > requiring > > API changes that we couldn't make until 3.x. Would you use 2.0.0-M1 and > > report your findings? > > > > > blocker for our migration of our software suite from Java 11 to Java 21 > > > > I'm not sure what this has to do with BU as BU 1.x and 2.x are both > tested > > against all Java LTS versions: 8, 11, 17, 21 (See GitHub). > > > > Issue https://issues.apache.org/jira/browse/BEANUTILS-532 is handled in > > 2.0.0-M1. > > > > WRT COLLECTIONS-701 ( > > > > > https://github.com/apache/commons-collections/commit/1979a6e31067a18c9ede59ad4518f738512eba82#diff-8e53271d5d8299a76d43b0e3c81740fbe660083ae71c5bf2be63846d52156f23 > > ), > > this can only happen due to a programming error, and was fixed in 4.3. > > > > > The expected timeline or requirements for a stable/final BeanUtils2 > 2.0.0 > > release? > > > > See above, in brief, please port to 2.0.0-M1. > > > > > Whether there are any remaining blockers or areas where the community > can > > assist? > > > > - Testing 2.0.0-M1 and/or 2.0.0-M2-SNAPSHOT in your environment would be > > the most helpful. > > - You can also see Jira and GitHub pull requests to see if there are open > > issues that would matter to you. > > > > > Any official position on the referenced security concern in beanutils > > 1.9.x-1.10.x, given the current dependency structure? > > > > If by security concern you mean > > https://issues.apache.org/jira/browse/BEANUTILS-532, this is addressed > in > > BU 2.0.0-M1 and cannot be fixed in BU 1 since updating Commons > > Collections 3.x to 4.x would break binary compatibility. > > > > HTH, > > Gary > > > > > > On Tue, May 20, 2025 at 10:47 AM Zach Dove <zd...@ecrs.com.invalid> > wrote: > > > > > Hello, > > > > > > I’d like to ask about the plans for an official release of BeanUtils2 > > > (2.0.0 final). We are tracking this for our migration to Java 21 and > > > JasperReports 7. > > > > > > The milestone releases (2.0.0-M1) are helpful, but is there a timeline > or > > > roadmap for a stable, non-milestone release? > > > I'm referencing from * > > https://commons.apache.org/proper/commons-beanutils/changes.html > > > <https://commons.apache.org/proper/commons-beanutils/changes.html>* . > > > > > > Mitigation for https://issues.apache.org/jira/browse/BEANUTILS-532 > looks > > > a release was made through 'melloware' group as a non-Apache > alternative > > to > > > swap 2.0.0-M1 to 2.0.0. > > > I've followed up with melloware on the issue of > > > https://github.com/Jaspersoft/jasperreports/issues/260 > > > > > > > > > Currently the lack of a vision for an official final release of > > BeanUtils2 > > > remains a concerning blocker for our migration of our software suite > from > > > Java 11 to Java 21 and a blocker for continuing with Jasper Reports 7. > > > > > > > > > In addition, https://github.com/apache/commons-beanutils/security does > > > not contain any disclaimer disregarding a continuous concern within the > > > community for "security issue" Cx78f40514-81ff / sonatype-2024-3350 / > > > COLLECTIONS-701, revolving around the concerns of the changes made in > > > commons-collections4, 4.2, > > > > > > > > > Https://github.com/apache/commons-collections/commit/1979a6e31067a18c9ede59ad4518f738512eba82#diff-8e53271d5d8299a76d43b0e3c81740fbe660083ae71c5bf2be63846d52156f23 > > > < > > > https://github.com/apache/commons-collections/commit/1979a6e31067a18c9ede59ad4518f738512eba82#diff-8e53271d5d8299a76d43b0e3c81740fbe660083ae71c5bf2be63846d52156f23 > > > > > > > > > > > > I took the time to look through the dependencies in commons-beanutils, > > > commons-beanutils2, commons-digester, collections 3.2 / > > > commons-collections4 and was unable to find SetUniqueList being used > > > across these components that directly impacts commons-beanutils > > > functionality & security. > > > > > > > > > In short, could you please advise / response on: > > > - The expected timeline or requirements for a stable/final BeanUtils2 > > > 2.0.0 release? > > > - Whether there are any remaining blockers or areas where the community > > > can assist? > > > - Any official position on the referenced security concern in beanutils > > > 1.9.x-1.10.x, given the current dependency structure? > > > > > > Best, > > > > > > *Zach Dove,* Software Developer, D2, Store Transactions > > > *P* 828.265.2907* | <https://www.ecrs.com>** www.ecrs.com > > > <https://www.ecrs.com>* > > > > > > * <https://www.ecrs.com> <https://www.ecrs.com>** < > https://www.ecrs.com/ > > >* > > > > > > * <https://hubs.li/Q02rFH810>* * <https://hubs.li/Q02rFH1C0>* * > > > <https://hubs.li/Q02rFGDm0>* * <https://hubs.li/Q02rFGPZ0>* > > > > > > * <https://hubs.li/Q03lHLjF0>* > > > > > > * <https://hubs.li/Q03kr_3k0>* > > > > > > > > > > > -- > ============================== > Melloware > melloware...@gmail.com > http://melloware.com > ============================== >
