Hi Lukasz, Thank you for your work on this.
It seems the surface area of changes is large and has an API breaking impact on multiple extension points. I expect the OGNL upgrade itself could also cause breaking behavioural changes. If we're to abide by SemVer here, we should probably release this change as Struts 8.0 rather than 7.1 as many existing applications may not be able to upgrade without making code changes of their own. Compatibility aside, making major changes to OGNL expression handling has security implications and I feel it might be better to signify this with a major release. It'd be unfortunate to introduce a new security regression in 7.1 after all the work we've done ensuring 7.0 is the most secure Struts release to date. Just some food for thought. Kind regards, Kusal On Tue, Apr 1, 2025 at 4:27 PM Lukasz Lenart <lukaszlen...@apache.org> wrote: > > Hi, > > I'm working on upgrading to the latest OGNL, I targeted 3.4.6 first, > but that won't work and I have started by introducing a more generic > OgnlContext in OGNL to support Struts requirements. > > You can review this work here > https://github.com/apache/struts/pull/1249 > > > Cheers > Łukasz > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org > For additional commands, e-mail: dev-h...@struts.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
