Is the idea to release every class which got or can have a CVE in a independent jar?
Think we should stick to dependency and consistency modularity, now if you only want a few methods of stringutils you can copy them, it is what people not willing commons do generally and it is not bad, now if you need more you do use commons and accept it as a dependency so I wouldnt fight a CVE driven approach which can just lead to inconsistent jars and dependency converge headache when using mixed transitive dependencies - and no maven nor gradle know how to solve it in several cases ;). Romain Manni-Bucau @rmannibucau <https://x.com/rmannibucau> | .NET Blog <https://dotnetbirdie.github.io/> | Blog <https://rmannibucau.github.io/> | Old Blog <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> | LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book <https://www.packtpub.com/en-us/product/java-ee-8-high-performance-9781788473064> Javaccino founder (Java/.NET service - contact via linkedin) Le mer. 29 oct. 2025 à 19:34, Vladimir Sitnikov <[email protected]> a écrit : > >commit introduced from merging a user-provided patch. It went through the > entire review process > > As far as I understand, log4shell was effectively caused by "all features > in a single jar" design. > If log4j had multiple jar files, then the users could depend only on the > features they > use, so the impact of the CVE would be much less. > > At the same time, the patch of "allow jndi resolution" could land on its > own jar, so it would impact a subset of the users only. > Code review could catch the issue of adding too many features to the single > jar. > > --- > > Here's the similar case in commons-lang: > A recent CVE-2025-48924 relates to ClassUtils while commons-lang is > often used for its StringUtils only. > > If commons-lang was modular like commons-stringutils, commons-classutils, > and so on, > then it would be much more secure for the end-users. > > Here's a question: what do you think of releasing commons-stringutils.jar > with StringUtils and Strings clases only? > > Frankly, many projects use only StringUtils, yet they suffer from > accidental CVEs in one of the classes they never use. > > Vladimir >
