[
https://issues.apache.org/jira/browse/CONFIGURATION-776?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18041505#comment-18041505
]
Lenny Primak commented on CONFIGURATION-776:
--------------------------------------------
You are right... the CVE is no longer there. I thought commons-collections
3.2.2 had the CVE, but I can't find it now.
The real issue is the dependency on commons-collections 3 that's 10 years old
and no longer maintained.
{code:java}
[INFO] | | | \- commons-beanutils:commons-beanutils:jar:1.11.0:compile
[INFO] | | | \-
commons-collections:commons-collections:jar:3.2.2:compile{code}
BeanUtils 2 depends on commons-collections4 which is actively maintained.
> Update Commons BeanUtils from 1.9. to 2.X
> -----------------------------------------
>
> Key: CONFIGURATION-776
> URL: https://issues.apache.org/jira/browse/CONFIGURATION-776
> Project: Commons Configuration
> Issue Type: Task
> Affects Versions: 2.6
> Reporter: Melloware
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Update Apache Commons BeanUtils from 1.9. to 2.X
> BeanUtils 2.X removes its dependency on Commons Collections but does change
> package name to the beanutils2 package.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
