[jira] [Commented] (CONFIGURATION-856) The artifact commons-io:commons-io is a normal dependency

Mon, 18 May 2026 08:43:04 -0700 


    [ 
https://issues.apache.org/jira/browse/CONFIGURATION-856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18081772#comment-18081772
 ] 

Matt Nelson commented on CONFIGURATION-856:
-------------------------------------------

Given the CVE fix in 2.15.0 there will likely be an influx of users upgrading 
who will get hit by this issue. When is 2.15.1 scheduled to be released? The 
workaround for us was to add commons-io as a runtime dependency.

{noformat}
 java.lang.NoClassDefFoundError: org/apache/commons/io/build/AbstractSupplier
        at java.base/java.lang.ClassLoader.defineClass1(Native Method)
        at java.base/java.lang.ClassLoader.defineClass(ClassLoader.java:1027)
        at 
java.base/java.security.SecureClassLoader.defineClass(SecureClassLoader.java:150)
        at 
java.base/jdk.internal.loader.BuiltinClassLoader.defineClass(BuiltinClassLoader.java:862)
        at 
java.base/jdk.internal.loader.BuiltinClassLoader.findClassOnClassPathOrNull(BuiltinClassLoader.java:760)
        at 
java.base/jdk.internal.loader.BuiltinClassLoader.loadClassOrNull(BuiltinClassLoader.java:681)
        at 
java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:639)
        at 
java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:188)
        at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:526)
        at 
org.apache.commons.configuration2.io.FileLocatorUtils.newDefaultLocationStrategy(FileLocatorUtils.java:495)
        at 
org.apache.commons.configuration2.io.FileLocatorUtils.<clinit>(FileLocatorUtils.java:77)
        at 
org.apache.commons.configuration2.io.FileHandler.emptyFileLocator(FileHandler.java:215)
        at 
org.apache.commons.configuration2.io.FileHandler.<init>(FileHandler.java:267)
        at 
org.apache.commons.configuration2.io.FileHandler.<init>(FileHandler.java:258)
        at 
org.apache.commons.configuration2.builder.FileBasedBuilderParametersImpl.<init>(FileBasedBuilderParametersImpl.java:137)
        at 
org.apache.commons.configuration2.builder.FileBasedBuilderParametersImpl.<init>(FileBasedBuilderParametersImpl.java:127)
        at 
org.apache.commons.configuration2.builder.fluent.Parameters.fileBased(Parameters.java:194)
{noformat}

> The artifact commons-io:commons-io is a normal dependency
> ---------------------------------------------------------
>
>                 Key: CONFIGURATION-856
>                 URL: https://issues.apache.org/jira/browse/CONFIGURATION-856
>             Project: Commons Configuration
>          Issue Type: Bug
>    Affects Versions: 2.15.0
>            Reporter: Piotr Zygielo
>            Assignee: Gary D. Gregory
>            Priority: Major
>             Fix For: 2.15.1
>
>
> [https://github.com/apache/commons-configuration/commit/f4118174063a576e8f442ef0639cf4279cd71ee2#r185266605]
>  
> [https://commons.apache.org/proper/commons-configuration/dependencies.html] - 
> {{commons-io}} is not mentioned
> [https://commons.apache.org/proper/commons-configuration/dependency-convergence.html]
>  - {{commons-io}} could transit from {{{}commons-vfs2{}}}, but I'm not using 
> it - hence {{io}} stays as optional



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to