I guess that is a question for the JasperReports team.
Melloware @melloware on GitHub > On May 20, 2025, at 5:37 PM, Gary Gregory <garydgreg...@gmail.com> wrote: > > Creating a PR in JasperReports runs... zero tests? > > Gary > > >> On Tue, May 20, 2025 at 4:41 PM Melloware Inc <melloware...@gmail.com> >> wrote: >> >> Note I have already submitted a JasperReports PR against BeanUtils 2.0.0-M1 >> months ago but the author doesn't like its an M1. >> >> See: https://github.com/Jaspersoft/jasperreports/pull/488 >> >> On Tue, May 20, 2025 at 1:49 PM Gary Gregory <garydgreg...@gmail.com> >> wrote: >> >>> Hi Zach, >>> >>> There is no official or unofficial release date yet because I would like >> to >>> get more community feedback before we set the API in stone for 2.0.0. >>> >>> It would be painful if your port from 1.x to 2.x revealed issues >> requiring >>> API changes that we couldn't make until 3.x. Would you use 2.0.0-M1 and >>> report your findings? >>> >>>> blocker for our migration of our software suite from Java 11 to Java 21 >>> >>> I'm not sure what this has to do with BU as BU 1.x and 2.x are both >> tested >>> against all Java LTS versions: 8, 11, 17, 21 (See GitHub). >>> >>> Issue https://issues.apache.org/jira/browse/BEANUTILS-532 is handled in >>> 2.0.0-M1. >>> >>> WRT COLLECTIONS-701 ( >>> >>> >> https://github.com/apache/commons-collections/commit/1979a6e31067a18c9ede59ad4518f738512eba82#diff-8e53271d5d8299a76d43b0e3c81740fbe660083ae71c5bf2be63846d52156f23 >>> ), >>> this can only happen due to a programming error, and was fixed in 4.3. >>> >>>> The expected timeline or requirements for a stable/final BeanUtils2 >> 2.0.0 >>> release? >>> >>> See above, in brief, please port to 2.0.0-M1. >>> >>>> Whether there are any remaining blockers or areas where the community >> can >>> assist? >>> >>> - Testing 2.0.0-M1 and/or 2.0.0-M2-SNAPSHOT in your environment would be >>> the most helpful. >>> - You can also see Jira and GitHub pull requests to see if there are open >>> issues that would matter to you. >>> >>>> Any official position on the referenced security concern in beanutils >>> 1.9.x-1.10.x, given the current dependency structure? >>> >>> If by security concern you mean >>> https://issues.apache.org/jira/browse/BEANUTILS-532, this is addressed >> in >>> BU 2.0.0-M1 and cannot be fixed in BU 1 since updating Commons >>> Collections 3.x to 4.x would break binary compatibility. >>> >>> HTH, >>> Gary >>> >>> >>> On Tue, May 20, 2025 at 10:47 AM Zach Dove <zd...@ecrs.com.invalid> >> wrote: >>> >>>> Hello, >>>> >>>> I’d like to ask about the plans for an official release of BeanUtils2 >>>> (2.0.0 final). We are tracking this for our migration to Java 21 and >>>> JasperReports 7. >>>> >>>> The milestone releases (2.0.0-M1) are helpful, but is there a timeline >> or >>>> roadmap for a stable, non-milestone release? >>>> I'm referencing from * >>> https://commons.apache.org/proper/commons-beanutils/changes.html >>>> <https://commons.apache.org/proper/commons-beanutils/changes.html>* . >>>> >>>> Mitigation for https://issues.apache.org/jira/browse/BEANUTILS-532 >> looks >>>> a release was made through 'melloware' group as a non-Apache >> alternative >>> to >>>> swap 2.0.0-M1 to 2.0.0. >>>> I've followed up with melloware on the issue of >>>> https://github.com/Jaspersoft/jasperreports/issues/260 >>>> >>>> >>>> Currently the lack of a vision for an official final release of >>> BeanUtils2 >>>> remains a concerning blocker for our migration of our software suite >> from >>>> Java 11 to Java 21 and a blocker for continuing with Jasper Reports 7. >>>> >>>> >>>> In addition, https://github.com/apache/commons-beanutils/security does >>>> not contain any disclaimer disregarding a continuous concern within the >>>> community for "security issue" Cx78f40514-81ff / sonatype-2024-3350 / >>>> COLLECTIONS-701, revolving around the concerns of the changes made in >>>> commons-collections4, 4.2, >>>> >>>> >>> >> Https://github.com/apache/commons-collections/commit/1979a6e31067a18c9ede59ad4518f738512eba82#diff-8e53271d5d8299a76d43b0e3c81740fbe660083ae71c5bf2be63846d52156f23 >>>> < >>> >> https://github.com/apache/commons-collections/commit/1979a6e31067a18c9ede59ad4518f738512eba82#diff-8e53271d5d8299a76d43b0e3c81740fbe660083ae71c5bf2be63846d52156f23 >>>> >>>> >>>> >>>> I took the time to look through the dependencies in commons-beanutils, >>>> commons-beanutils2, commons-digester, collections 3.2 / >>>> commons-collections4 and was unable to find SetUniqueList being used >>>> across these components that directly impacts commons-beanutils >>>> functionality & security. >>>> >>>> >>>> In short, could you please advise / response on: >>>> - The expected timeline or requirements for a stable/final BeanUtils2 >>>> 2.0.0 release? >>>> - Whether there are any remaining blockers or areas where the community >>>> can assist? >>>> - Any official position on the referenced security concern in beanutils >>>> 1.9.x-1.10.x, given the current dependency structure? >>>> >>>> Best, >>>> >>>> *Zach Dove,* Software Developer, D2, Store Transactions >>>> *P* 828.265.2907* | <https://www.ecrs.com>** www.ecrs.com >>>> <https://www.ecrs.com>* >>>> >>>> * <https://www.ecrs.com> <https://www.ecrs.com>** < >> https://www.ecrs.com/ >>>> * >>>> >>>> * <https://hubs.li/Q02rFH810>* * <https://hubs.li/Q02rFH1C0>* * >>>> <https://hubs.li/Q02rFGDm0>* * <https://hubs.li/Q02rFGPZ0>* >>>> >>>> * <https://hubs.li/Q03lHLjF0>* >>>> >>>> * <https://hubs.li/Q03kr_3k0>* >>>> >>>> >>> >> >> >> -- >> ============================== >> Melloware >> melloware...@gmail.com >> http://melloware.com >> ============================== >> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
