Dear Commons Dev Team,

In LANG-1777 <https://issues.apache.org/jira/browse/LANG-1777> I've
expressed my frustration with 3.18.0, after a very long day of trying to
migrate a single repository from using StringUtils to Strings.CI/CS. In my
opinion, this is a huge misstep for the commons lib, given its reputation
for stable APIs.

Quote from the ticket:

> Version 3.18.0 comes with many deprecations. Many of the most commonly
> used functions are now deprecated, which is breaking a lot of projects' CI:
>
>    - StringUtils.equals() -> Strings.CS.equals()
>    - StringUtils.startsWith() -> Strings.CS.startsWith()
>    - StringUtils.endsWith() -> Strings.CS.endsWith()
>    - StringUtils.contains() -> Strings.CS.contains()
>    - StringUtils.replace() -> Strings.CS.replace()
>    - StringUtils.indexOf() -> Strings.CS.indexOf()
>    - StringUtils.remove(String, String) -> Strings.CS.remove()
>    - StringUtils.compare(String, String) -> Strings.CS.compare()
>    - StringUtils.equalsIgnoreCase() -> Strings.CI.equals()
>    - StringUtils.startsWithIgnoreCase() -> Strings.CI.startsWith()
>    - StringUtils.endsWithIgnoreCase() -> Strings.CI.endsWith()
>    - StringUtils.containsIgnoreCase() -> Strings.CI.contains()
>    - StringUtils.replaceIgnoreCase() -> Strings.CI.replace()
>    - ObjectsUtils.defaultIfNull() -> god knows what
>    - ...
>
> I find the value of these refactors really questionable. They require
> thousands of developers world-wide to update millions of places in code
> bases to follow the new best practices... for what? I would even say the
> new syntax is more confusing, because it might not be intuitive for all,
> what 'CI' and 'CS' stand for. Besides, the old static method calls have
> become virtual method calls, which come with a considerable performance
> penalty <https://stackoverflow.com/a/28511095> for time-sensitive
> applications.
>
> The Apache commons libs are widely used due to their stability, meaning
> that once you refer a method from your code, you can keep using the
> function securely for decades to come.
>
> Timing-wise these breaking changes are quite critical, because
> CVE-2025-48924 <https://www.cve.org/CVERecord?id=CVE-2025-48924> has just
> been published, so a lot of users are forced to upgrade their projects from
> 3.x.x to 3.18.0 ASAP. One could argue that deprecations are not breaking
> changes, but for users, who are compiling with strict compiler flags (e.g.
> -Werror) they are.
>
> My recommendation is to:
>
>    1. Release 3.17.1 ASAP with a security fix CVE-2025-48924
>    <https://www.cve.org/CVERecord?id=CVE-2025-48924>  to to allow users
>    to upgrade to a secure version without the need to go through all these
>    refactors
>    2. Reconsider these deprecations, and relax them to recommendations or
>    just revert them altogether
>
> Let me know what you think.

Best regards,
Bence

Reply via email to