[
https://issues.apache.org/jira/browse/CALCITE-7259?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18034479#comment-18034479
]
Alessandro Solimando commented on CALCITE-7259:
-----------------------------------------------
+1 on the idea, it would be great to drop that library, especially for point #1.
> Drop commons-lang3 dependency
> -----------------------------
>
> Key: CALCITE-7259
> URL: https://issues.apache.org/jira/browse/CALCITE-7259
> Project: Calcite
> Issue Type: Improvement
> Affects Versions: 1.40.0
> Reporter: Vladimir Sitnikov
> Priority: Major
>
> Currently Calcite uses only a few classes from commons-lang3, and it would
> probably be worth dropping the dependency for the following reasons:
> 1) Better security. commons-* follows "all features in a single jar" pattern,
> so a CVE in one of the classes would impact Calcite
> 2) Fewer bytes to ship with binary distribution for the end-users:
> `commons-lang3` is ~690K
> I have raised a suggestion to make commons-lang3 modular and extract modules
> like commons-stringutils, commons-arrayutils, however, {{Commons}} team does
> not seem to like the idea.
> Commons PMC members often suggest that users should clone the code or shade
> commons-lang, see
> https://lists.apache.org/thread/xzdhv57o9rnxtzn5fqbtkzj0hdkbm339
> So I wonder what do you think of dropping commons-lang3 and replacing it with
> core Java?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
