[
https://issues.apache.org/jira/browse/WW-5632?focusedWorklogId=1024462&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1024462
]
ASF GitHub Bot logged work on WW-5632:
--------------------------------------
Author: ASF GitHub Bot
Created on: 10/Jun/26 12:34
Start Date: 10/Jun/26 12:34
Worklog Time Spent: 10m
Work Description: sonarqubecloud[bot] commented on PR #1735:
URL: https://github.com/apache/struts/pull/1735#issuecomment-4670228594
## [](https://sonarcloud.io/dashboard?id=apache_struts&pullRequest=1735)
**Quality Gate passed**
Issues
 [0 New
issues](https://sonarcloud.io/project/issues?id=apache_struts&pullRequest=1735&issueStatuses=OPEN,CONFIRMED&sinceLeakPeriod=true)
 [0 Accepted
issues](https://sonarcloud.io/project/issues?id=apache_struts&pullRequest=1735&issueStatuses=ACCEPTED)
Measures
 [0 Security
Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_struts&pullRequest=1735&issueStatuses=OPEN,CONFIRMED&sinceLeakPeriod=true)
 [96.0% Coverage on New
Code](https://sonarcloud.io/component_measures?id=apache_struts&pullRequest=1735&metric=new_coverage&view=list)
 [0.0% Duplication on New
Code](https://sonarcloud.io/component_measures?id=apache_struts&pullRequest=1735&metric=new_duplicated_lines_density&view=list)
<!
Issue Time Tracking
-------------------
Worklog Id: (was: 1024462)
Time Spent: 0.5h (was: 20m)
> Harden commons-fileupload2 dependency against milestone binary-incompatibility
> ------------------------------------------------------------------------------
>
> Key: WW-5632
> URL: https://issues.apache.org/jira/browse/WW-5632
> Project: Struts 2
> Issue Type: New Feature
> Components: Core Interceptors
> Reporter: Lukasz Lenart
> Assignee: Lukasz Lenart
> Priority: Major
> Fix For: 7.2.0
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> h3. Background
> [WW-5615|https://issues.apache.org/jira/browse/WW-5615] fixed the
> {{NoSuchMethodError}} caused by Apache Commons FileUpload 2.0.0-M5 renaming
> {{setSizeMax}} -> {{setMaxSize}} (and friends), shipped in 7.2.0 via
> [#1584|https://github.com/apache/struts/pull/1584].
> That fix addressed the *symptom* for one milestone bump but not the
> underlying *class of failure*.
> h3. Problem
> Struts depends on _milestone_ ({{-M}}) builds of commons-fileupload2, which
> break binary compatibility between milestones. Three gaps remain on {{main}}:
> * The renamed setters ({{setMaxSize}}, {{setMaxFileCount}},
> {{setMaxFileSize}}) live in
> *{{commons-fileupload2-core}}* ({{AbstractFileUpload}}), but only
> {{commons-fileupload2-jakarta-servlet6}} is pinned in
> {{dependencyManagement}} — {{-core}} is unmanaged, so a transitive dependency
> can pull a mismatched {{-core}} milestone and reproduce the
> {{NoSuchMethodError}}.
> * The {{maven-enforcer-plugin}} {{dependencyConvergence}} rule sits only in
> {{<pluginManagement>}} and is never bound to an active {{<plugins>}} section,
> so it never runs — the build cannot catch a fileupload version skew.
> * Downstream consumer runtimes get an opaque, deep-stack
> {{NoSuchMethodError}} with no actionable guidance.
> h3. Proposed changes
> * *(A1)* Introduce a single {{commons-fileupload2.version}} property and
> manage *both* {{commons-fileupload2-core}} and
> {{commons-fileupload2-jakarta-servlet6}} at that version in
> {{parent/pom.xml}}, forcing a matched {{-core}} version across the reactor.
> * *(A2)* Activate {{maven-enforcer-plugin}} with a fileupload-scoped
> {{bannedDependencies}} rule that fails the build on any commons-fileupload2
> version other than the pinned one (narrow scope, near-zero blast radius).
> * *(B)* Add a once-per-JVM reflective guard in {{AbstractMultiPartRequest}}
> that throws a clear {{StrutsException}} reporting the {{-core}} vs
> {{-jakarta-servlet6}} version skew instead of an opaque
> {{NoSuchMethodError}}.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
