garydgregory commented on pull request #80: URL: https://github.com/apache/commons-beanutils/pull/80#issuecomment-789907176
> > > Yep I have done this before with other libraries and put in Maven Central in my `com.melloware` artifact but was really hoping not to have to do that with an Apache Commons Library. But you are right I think I have no choice... > > > > > > Yep...please only do this when necessary... > > So beanutils 1.9.4 is 2 years old and has a small dependency on commons-collections 3, which is red-flagged for security vulnerabilities. A lot of things have dependencies on beanutils; e.g. Grails 4.0.x depends on commons-validator which depends on beanutils. > > I'm offering to help do an update of these commons components to fix security issues. But it sounds like the official position I'm getting here is that we should maintain our own forks and wait for version 2? I would not call it an official position but more of a pragmatic view that we are all volunteering our time here and we all have different priorities. So the release will come when the component is ready and we will want to make sure that it is fully baked. One big issue the 1.x series had is that it surfaces in its API Common Collections types, such that one cannot switch to Collections 4 without breaking binary compatibility, hence one of the drivers for a new major version in a new package with new Maven coordinates. > > Perhaps I should use the 1.9.4 source as a starting point instead?? That's what I would do. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
