Hi Amit and all: I definitely recommend migrating to the latest of the 4.x line.
We provide a kind of version 3.x support in the sense that anyone with historical knowledge or the inclination can answer questions here. As far as any new releases of the 3.x branch, I would say that this would be quite unlikely unless the community was made aware of a critical CVE and decided that a release was warranted, Security issues should be discussed according to https://commons.apache.org/security.html We have not made a formal EOL statement of the 3.x line but this would seem like a good idea. Gary On Fri, Jun 3, 2022 at 4:23 PM Amit Pande <amit.pa...@veritas.com.invalid> wrote: > > Greetings all! > > Given that we have around four versions of the commons-collections version > 4.x.x, I wanted to check if the 3.y.y versions are still supported or not? To > put it differently, are the 3.y.y EOL'ed? > > If not, is it safe to believe that any security vulnerability fixes in 3.y.y > series will still be made? > > I could not find anything on EOL of 3.y.y series, but our organization has > recommended to move to the 4.x.x line. > Unfortunately, this is not a drop-in replacement for 3.y.y artifacts and more > over in some cases, commons-collections gets pulled in as transitive > dependency of other libraries. > As an example, the commons-validator mentions commons-collection 3.y.y as its > dependency. > (https://commons.apache.org/proper/commons-validator/dependencies.html) > > Appreciate your feedback on this. > > Thanks, > Amit > > > --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@commons.apache.org For additional commands, e-mail: user-h...@commons.apache.org
