chrismaeda commented on pull request #80: URL: https://github.com/apache/commons-beanutils/pull/80#issuecomment-789868132
> > Yep I have done this before with other libraries and put in Maven Central in my `com.melloware` artifact but was really hoping not to have to do that with an Apache Commons Library. But you are right I think I have no choice... > > Yep...please only do this when necessary... So beanutils 1.9.4 is 2 years old and has a small dependency on commons-collections 3, which is red-flagged for security vulnerabilities. A lot of things have dependencies on beanutils; e.g. Grails 4.0.x depends on commons-validator which depends on beanutils. I'm offering to help do an update of these commons components to fix security issues. But it sounds like the official position I'm getting here is that we should maintain our own forks and wait for version 2? ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
