On Tue, May 20, 2025 at 11:24 AM Melloware Inc <melloware...@gmail.com> wrote:
> I +1 this vote for an official BeanUtils 2.0.0 release. I am using it in > Production as M1 for months now without issue. > Good to know! TY. Have you tried a snapshot from git master? It would be good to know if there are any issues there. Gary > > On Tue, May 20, 2025 at 10:47 AM Zach Dove <zd...@ecrs.com.invalid> wrote: > > > Hello, > > > > I’d like to ask about the plans for an official release of BeanUtils2 > > (2.0.0 final). We are tracking this for our migration to Java 21 and > > JasperReports 7. > > > > The milestone releases (2.0.0-M1) are helpful, but is there a timeline or > > roadmap for a stable, non-milestone release? > > I'm referencing from * > https://commons.apache.org/proper/commons-beanutils/changes.html > > <https://commons.apache.org/proper/commons-beanutils/changes.html>* . > > > > Mitigation for https://issues.apache.org/jira/browse/BEANUTILS-532 looks > > a release was made through 'melloware' group as a non-Apache alternative > to > > swap 2.0.0-M1 to 2.0.0. > > I've followed up with melloware on the issue of > > https://github.com/Jaspersoft/jasperreports/issues/260 > > > > > > Currently the lack of a vision for an official final release of > BeanUtils2 > > remains a concerning blocker for our migration of our software suite from > > Java 11 to Java 21 and a blocker for continuing with Jasper Reports 7. > > > > > > In addition, https://github.com/apache/commons-beanutils/security does > > not contain any disclaimer disregarding a continuous concern within the > > community for "security issue" Cx78f40514-81ff / sonatype-2024-3350 / > > COLLECTIONS-701, revolving around the concerns of the changes made in > > commons-collections4, 4.2, > > > > > Https://github.com/apache/commons-collections/commit/1979a6e31067a18c9ede59ad4518f738512eba82#diff-8e53271d5d8299a76d43b0e3c81740fbe660083ae71c5bf2be63846d52156f23 > > < > https://github.com/apache/commons-collections/commit/1979a6e31067a18c9ede59ad4518f738512eba82#diff-8e53271d5d8299a76d43b0e3c81740fbe660083ae71c5bf2be63846d52156f23 > > > > > > > > I took the time to look through the dependencies in commons-beanutils, > > commons-beanutils2, commons-digester, collections 3.2 / > > commons-collections4 and was unable to find SetUniqueList being used > > across these components that directly impacts commons-beanutils > > functionality & security. > > > > > > In short, could you please advise / response on: > > - The expected timeline or requirements for a stable/final BeanUtils2 > > 2.0.0 release? > > - Whether there are any remaining blockers or areas where the community > > can assist? > > - Any official position on the referenced security concern in beanutils > > 1.9.x-1.10.x, given the current dependency structure? > > > > Best, > > > > *Zach Dove,* Software Developer, D2, Store Transactions > > *P* 828.265.2907* | <https://www.ecrs.com>** www.ecrs.com > > <https://www.ecrs.com>* > > > > * <https://www.ecrs.com> <https://www.ecrs.com>** <https://www.ecrs.com/ > >* > > > > * <https://hubs.li/Q02rFH810>* * <https://hubs.li/Q02rFH1C0>* * > > <https://hubs.li/Q02rFGDm0>* * <https://hubs.li/Q02rFGPZ0>* > > > > * <https://hubs.li/Q03lHLjF0>* > > > > * <https://hubs.li/Q03kr_3k0>* > > > > > > -- > ============================== > Melloware > melloware...@gmail.com > http://melloware.com > ============================== >
