Note I have already submitted a JasperReports PR against BeanUtils 2.0.0-M1 months ago but the author doesn't like its an M1.
See: https://github.com/Jaspersoft/jasperreports/pull/488 On Tue, May 20, 2025 at 1:49 PM Gary Gregory <garydgreg...@gmail.com> wrote: > Hi Zach, > > There is no official or unofficial release date yet because I would like to > get more community feedback before we set the API in stone for 2.0.0. > > It would be painful if your port from 1.x to 2.x revealed issues requiring > API changes that we couldn't make until 3.x. Would you use 2.0.0-M1 and > report your findings? > > > blocker for our migration of our software suite from Java 11 to Java 21 > > I'm not sure what this has to do with BU as BU 1.x and 2.x are both tested > against all Java LTS versions: 8, 11, 17, 21 (See GitHub). > > Issue https://issues.apache.org/jira/browse/BEANUTILS-532 is handled in > 2.0.0-M1. > > WRT COLLECTIONS-701 ( > > https://github.com/apache/commons-collections/commit/1979a6e31067a18c9ede59ad4518f738512eba82#diff-8e53271d5d8299a76d43b0e3c81740fbe660083ae71c5bf2be63846d52156f23 > ), > this can only happen due to a programming error, and was fixed in 4.3. > > > The expected timeline or requirements for a stable/final BeanUtils2 2.0.0 > release? > > See above, in brief, please port to 2.0.0-M1. > > > Whether there are any remaining blockers or areas where the community can > assist? > > - Testing 2.0.0-M1 and/or 2.0.0-M2-SNAPSHOT in your environment would be > the most helpful. > - You can also see Jira and GitHub pull requests to see if there are open > issues that would matter to you. > > > Any official position on the referenced security concern in beanutils > 1.9.x-1.10.x, given the current dependency structure? > > If by security concern you mean > https://issues.apache.org/jira/browse/BEANUTILS-532, this is addressed in > BU 2.0.0-M1 and cannot be fixed in BU 1 since updating Commons > Collections 3.x to 4.x would break binary compatibility. > > HTH, > Gary > > > On Tue, May 20, 2025 at 10:47 AM Zach Dove <zd...@ecrs.com.invalid> wrote: > > > Hello, > > > > I’d like to ask about the plans for an official release of BeanUtils2 > > (2.0.0 final). We are tracking this for our migration to Java 21 and > > JasperReports 7. > > > > The milestone releases (2.0.0-M1) are helpful, but is there a timeline or > > roadmap for a stable, non-milestone release? > > I'm referencing from * > https://commons.apache.org/proper/commons-beanutils/changes.html > > <https://commons.apache.org/proper/commons-beanutils/changes.html>* . > > > > Mitigation for https://issues.apache.org/jira/browse/BEANUTILS-532 looks > > a release was made through 'melloware' group as a non-Apache alternative > to > > swap 2.0.0-M1 to 2.0.0. > > I've followed up with melloware on the issue of > > https://github.com/Jaspersoft/jasperreports/issues/260 > > > > > > Currently the lack of a vision for an official final release of > BeanUtils2 > > remains a concerning blocker for our migration of our software suite from > > Java 11 to Java 21 and a blocker for continuing with Jasper Reports 7. > > > > > > In addition, https://github.com/apache/commons-beanutils/security does > > not contain any disclaimer disregarding a continuous concern within the > > community for "security issue" Cx78f40514-81ff / sonatype-2024-3350 / > > COLLECTIONS-701, revolving around the concerns of the changes made in > > commons-collections4, 4.2, > > > > > Https://github.com/apache/commons-collections/commit/1979a6e31067a18c9ede59ad4518f738512eba82#diff-8e53271d5d8299a76d43b0e3c81740fbe660083ae71c5bf2be63846d52156f23 > > < > https://github.com/apache/commons-collections/commit/1979a6e31067a18c9ede59ad4518f738512eba82#diff-8e53271d5d8299a76d43b0e3c81740fbe660083ae71c5bf2be63846d52156f23 > > > > > > > > I took the time to look through the dependencies in commons-beanutils, > > commons-beanutils2, commons-digester, collections 3.2 / > > commons-collections4 and was unable to find SetUniqueList being used > > across these components that directly impacts commons-beanutils > > functionality & security. > > > > > > In short, could you please advise / response on: > > - The expected timeline or requirements for a stable/final BeanUtils2 > > 2.0.0 release? > > - Whether there are any remaining blockers or areas where the community > > can assist? > > - Any official position on the referenced security concern in beanutils > > 1.9.x-1.10.x, given the current dependency structure? > > > > Best, > > > > *Zach Dove,* Software Developer, D2, Store Transactions > > *P* 828.265.2907* | <https://www.ecrs.com>** www.ecrs.com > > <https://www.ecrs.com>* > > > > * <https://www.ecrs.com> <https://www.ecrs.com>** <https://www.ecrs.com/ > >* > > > > * <https://hubs.li/Q02rFH810>* * <https://hubs.li/Q02rFH1C0>* * > > <https://hubs.li/Q02rFGDm0>* * <https://hubs.li/Q02rFGPZ0>* > > > > * <https://hubs.li/Q03lHLjF0>* > > > > * <https://hubs.li/Q03kr_3k0>* > > > > > -- ============================== Melloware melloware...@gmail.com http://melloware.com ==============================
