[
https://issues.apache.org/jira/browse/BEANUTILS-577?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18088083#comment-18088083
]
Peter De Maeyer commented on BEANUTILS-577:
-------------------------------------------
Yeah, but 2.0.0-M1 is a milestone release, which is over a year old. So I have
dwindling hope for a 2.0.0 release. Nexus IQ (a commercial security scanner)
reports a CVSS 8.7 security vulnerability in {{commons-collections}}. Given
that 1.11.0 is the latest release, [~ggregory], my suggestion is to backport
this to a 1.11.1 or 1.12.0. I understand there may be reasons of "binary
compatibility" as reported on the original (linked) issue, but still I think
it's worth the investigation if we can backport this to a 1.x.y without
breaking binary compatibility.
!sonatype-2024-3350.png!
> Update collections dependency to collections4
> ----------------------------------------------
>
> Key: BEANUTILS-577
> URL: https://issues.apache.org/jira/browse/BEANUTILS-577
> Project: Commons BeanUtils
> Issue Type: Improvement
> Reporter: Steve Lopez
> Priority: Minor
> Fix For: 2.0.0-M1
>
> Attachments: sonatype-2024-3350.png
>
>
> Latest version is dependent on old commons-collections (last updated in
> 2015).
> Request is to update commons-beanutils to use commons-collections4 as it is
> actively maintained. Completing this improvement will enable applicatios
> to reduce dependency footprint and reduce code bloat when the only library in
> an application needing the old commons-collections library is beanutils.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
