[jira] [Updated] (GEODE-10549) Upgrade commons-io from 2.15.1 to 2.18.0

Mon, 12 Jan 2026 06:00:09 -0800 


     [ 
https://issues.apache.org/jira/browse/GEODE-10549?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jinwoo Hwang updated GEODE-10549:
---------------------------------
    Summary: Upgrade commons-io from 2.15.1 to 2.18.0  (was: pgrade commons-io 
from 2.15.1 to 2.18.0)

> Upgrade commons-io from 2.15.1 to 2.18.0
> ----------------------------------------
>
>                 Key: GEODE-10549
>                 URL: https://issues.apache.org/jira/browse/GEODE-10549
>             Project: Geode
>          Issue Type: Improvement
>            Reporter: Jinwoo Hwang
>            Priority: Major
>
> h1. Upgrade commons-io from 2.15.1 to 2.18.0
> h2. Summary
> Upgrade Apache Commons IO library from version 2.15.1 to 2.18.0 as part of 
> dependency maintenance and to address critical bug fixes.
> h2. Description
> This upgrade is part of the GEODE-10543 dependency modernization effort, 
> performed alongside the commons-lang3 upgrade to maintain library 
> compatibility and consistency.
> h3. Key Improvements in 2.18.0:
> * *IO-856*: Fixed {{FileUtils.listFiles()}} throwing {{NoSuchFileException}}
> * *IO-859*: Fixed {{FileUtils.forceDelete()}} on non-existent Windows files 
> throwing {{IOException}} instead of {{FileNotFoundException}}
> * *IO-863*: Fixed incompatible change to {{FileUtils.listFiles()}} regarding 
> extensions
> * *IO-860*: Added missing reserved file names in {{FileSystem.WINDOWS}} 
> (superscript digits for COM and LPT)
> * Enhanced {{ValidatingObjectInputStream}} with builder pattern for safe 
> deserialization
> * Improved {{RandomAccessFile}} support and stream handling
> h3. Compatibility:
> * Binary compatible: Yes
> * Source compatible: Yes  
> * Semantic compatible: Yes
> * No breaking API changes
> * All intermediate versions (2.16.0, 2.17.0, 2.18.0) maintain full backward 
> compatibility
> h3. Risk Assessment:
> *Low risk* - This is a maintenance upgrade with no known security 
> vulnerabilities in 2.15.1. The upgrade prevents potential file operation 
> issues, particularly on Windows platforms, and aligns with modern Java best 
> practices.
> h2. Testing:
> * Full test suite executed with Java 8
> * All builds pass with quality checks (spotless, RAT, PMD, Javadoc)
> * No test failures related to commons-io changes
> h2. Files Modified:
> * 
> {{build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy}}
> ** Line 37: {{deps.put("commons-io.version", "2.18.0")}}
> h2. Related:
> * Part of GEODE-10543: Security and dependency upgrades
> * Performed alongside commons-lang3 3.12.0 → 3.18.0 (CVE-2025-48924)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to