There is a known security risk in commons-collections 3.2.1 - you can read about it here in the 3.2.2 release notes:
https://commons.apache.org/proper/commons-collections/release_3_2_2.html I've created an issue to bump for 3.1.2: https://issues.apache.org/jira/browse/TINKERPOP-1198 I will assume lazy consensus and move forward on this if there are no objections in the next three days (Sunday March 6, 2016 4:30pm EST). Thanks, Stephen
