[
https://issues.apache.org/jira/browse/LANG-1777?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Bence Hornák updated LANG-1777:
-------------------------------
Description:
Version 3.18.0 comes with many deprecations. Many of the most commonly used
functions are now deprecated, which is breaking a lot of projects CI:
* {{StringUtils.equals()}} -> {{Strings.CS.equals()}}
* {{StringUtils.equalsIgnoreCase()}} -> {{Strings.CI.equals()}}
* {{ObjectsUtils.defaultIfNull()}} -> god knows what
* ...
I find the value of these refactors really questionable. They require thousands
of developers world-wide to update millions of places in code bases to follow
the new best practices... for what? The Apache commons libs are widely used due
to their stability, meaning that once you refer a method from your code, you
can keep using the function securely for decades to come.
Timing-wise these breaking changes are quite critical, because
[CVE-2025-48924|https://www.cve.org/CVERecord?id=CVE-2025-48924] has just been
published, so a lot of users are forced to upgrade their projects from 3.x.x to
3.18.0 ASAP. One could argue that deprecations are not breaking changes, but
for users, who are compiling with strict compiler flags (e.g. `-Werror`) it is.
My recommendation is to:
# Release 3.17.1 ASAP to allow users to upgrade to a secure version without the
need to go through all these refactors
# Reconsider these deprecations, and relax them to recommendations or just
revert them
was:
Version 3.18.0 comes with many deprecations. Many of the most commonly used
functions are now deprecated, which is breaking a lot of projects CI:
* `StringUtils.equals()` -> `Strings.CS.equals()`
* `StringUtils.equalsIgnoreCase()` -> `Strings.CI.equals()`
* `ObjectsUtils.defaultIfNull()` -> god knows what
* ...
I find the value of these refactors really questionable. They require thousands
of developers world-wide to update millions of places in code bases to follow
the new best practices... for what? The Apache commons libs are widely used due
to their stability, meaning that once you refer a method from your code, you
can keep using the function securely for decades to come.
Timing-wise these breaking changes are quite critical, because
[CVE-2025-48924|https://www.cve.org/CVERecord?id=CVE-2025-48924] has just been
published, so a lot of users are forced to upgrade their projects from 3.x.x to
3.18.0 ASAP. One could argue that deprecations are not breaking changes, but
for users, who are compiling with strict compiler flags (e.g. `-Werror`) it is.
My recommendation is to:
# Release 3.17.1 ASAP to allow users to upgrade to a secure version without the
need to go through all these refactors
# Reconsider these deprecations, and relax them to recommendations or just
revert them
> Revert deprecations of 3.18.0
> -----------------------------
>
> Key: LANG-1777
> URL: https://issues.apache.org/jira/browse/LANG-1777
> Project: Commons Lang
> Issue Type: Wish
> Components: lang.*
> Affects Versions: 3.18.0
> Reporter: Bence Hornák
> Priority: Critical
>
> Version 3.18.0 comes with many deprecations. Many of the most commonly used
> functions are now deprecated, which is breaking a lot of projects CI:
> * {{StringUtils.equals()}} -> {{Strings.CS.equals()}}
> * {{StringUtils.equalsIgnoreCase()}} -> {{Strings.CI.equals()}}
> * {{ObjectsUtils.defaultIfNull()}} -> god knows what
> * ...
> I find the value of these refactors really questionable. They require
> thousands of developers world-wide to update millions of places in code bases
> to follow the new best practices... for what? The Apache commons libs are
> widely used due to their stability, meaning that once you refer a method from
> your code, you can keep using the function securely for decades to come.
> Timing-wise these breaking changes are quite critical, because
> [CVE-2025-48924|https://www.cve.org/CVERecord?id=CVE-2025-48924] has just
> been published, so a lot of users are forced to upgrade their projects from
> 3.x.x to 3.18.0 ASAP. One could argue that deprecations are not breaking
> changes, but for users, who are compiling with strict compiler flags (e.g.
> `-Werror`) it is.
> My recommendation is to:
> # Release 3.17.1 ASAP to allow users to upgrade to a secure version without
> the need to go through all these refactors
> # Reconsider these deprecations, and relax them to recommendations or just
> revert them
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
