[
https://issues.apache.org/jira/browse/LANG-1777?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Bence Hornák updated LANG-1777:
-------------------------------
Description:
Version 3.18.0 comes with many deprecations. Many of the most commonly used
functions are now deprecated, which is breaking a lot of projects' CI:
* {{StringUtils.equals()}} -> {{Strings.CS.equals()}}
* {{StringUtils.startsWith()}} -> {{Strings.CS.startsWith()}}
* {{StringUtils.endsWith()}} -> {{Strings.CS.endsWith()}}
* {{StringUtils.contains()}} -> {{Strings.CS.contains()}}
* {{StringUtils.replace()}} -> {{Strings.CS.replace()}}
* {{StringUtils.indexOf()}} -> {{Strings.CS.indexOf()}}
* {{StringUtils.remove(String, String)}} -> {{Strings.CS.remove()}}
* {{StringUtils.compare(String, String)}} -> {{Strings.CS.compare()}}
* {{StringUtils.equalsIgnoreCase()}} -> {{Strings.CI.equals()}}
* {{StringUtils.startsWithIgnoreCase()}} -> {{Strings.CI.startsWith()}}
* {{StringUtils.endsWithIgnoreCase()}} -> {{Strings.CI.endsWith()}}
* {{StringUtils.containsIgnoreCase()}} -> {{Strings.CI.contains()}}
* {{StringUtils.replaceIgnoreCase()}} -> {{Strings.CI.replace()}}
* {{ObjectsUtils.defaultIfNull()}} -> god knows what
* ...
I find the value of these refactors really questionable. They require thousands
of developers world-wide to update millions of places in code bases to follow
the new best practices... for what? I would even say the new syntax is more
confusing, because it might not be intuitive for all, what 'CI' and 'CS' stand
for. Besides, the old static method calls have become virtual method calls,
which come with a [considerable performance
penalty|https://stackoverflow.com/a/28511095] for time-sensitive applications.
The Apache commons libs are widely used due to their stability, meaning that
once you refer a method from your code, you can keep using the function
securely for decades to come.
Timing-wise these breaking changes are quite critical, because
[CVE-2025-48924|https://www.cve.org/CVERecord?id=CVE-2025-48924] has just been
published, so a lot of users are forced to upgrade their projects from 3.x.x to
3.18.0 ASAP. One could argue that deprecations are not breaking changes, but
for users, who are compiling with strict compiler flags (e.g. {{{}-Werror{}}})
they are.
My recommendation is to:
# Release 3.17.1 ASAP with a security fix
[CVE-2025-48924|https://www.cve.org/CVERecord?id=CVE-2025-48924] to to allow
users to upgrade to a secure version without the need to go through all these
refactors
# Reconsider these deprecations, and relax them to recommendations or just
revert them altogether
was:
Version 3.18.0 comes with many deprecations. Many of the most commonly used
functions are now deprecated, which is breaking a lot of projects' CI:
* {{StringUtils.equals()}} -> {{Strings.CS.equals()}}
* {{StringUtils.startsWith()}} -> {{Strings.CS.startsWith()}}
* {{StringUtils.endsWith()}} -> {{Strings.CS.endsWith()}}
* {{StringUtils.contains()}} -> {{Strings.CS.contains()}}
* {{StringUtils.replace()}} -> {{Strings.CS.replace()}}
* {{StringUtils.equalsIgnoreCase()}} -> {{Strings.CI.equals()}}
* {{StringUtils.startsWithIgnoreCase()}} -> {{Strings.CI.startsWith()}}
* {{StringUtils.endsWithIgnoreCase()}} -> {{Strings.CI.endsWith()}}
* {{StringUtils.containsIgnoreCase()}} -> {{Strings.CI.contains()}}
* {{ObjectsUtils.defaultIfNull()}} -> god knows what
* ...
I find the value of these refactors really questionable. They require thousands
of developers world-wide to update millions of places in code bases to follow
the new best practices... for what? I would even say the new syntax is more
confusing, because it might not be intuitive for all, what 'CI' and 'CS' stand
for. Besides, the old static method calls have become virtual method calls,
which come with a [considerable performance
penalty|https://stackoverflow.com/a/28511095] for time-sensitive applications.
The Apache commons libs are widely used due to their stability, meaning that
once you refer a method from your code, you can keep using the function
securely for decades to come.
Timing-wise these breaking changes are quite critical, because
[CVE-2025-48924|https://www.cve.org/CVERecord?id=CVE-2025-48924] has just been
published, so a lot of users are forced to upgrade their projects from 3.x.x to
3.18.0 ASAP. One could argue that deprecations are not breaking changes, but
for users, who are compiling with strict compiler flags (e.g. {{{}-Werror{}}})
they are.
My recommendation is to:
# Release 3.17.1 ASAP with a security fix
[CVE-2025-48924|https://www.cve.org/CVERecord?id=CVE-2025-48924] to to allow
users to upgrade to a secure version without the need to go through all these
refactors
# Reconsider these deprecations, and relax them to recommendations or just
revert them altogether
> Revert deprecations of 3.18.0
> -----------------------------
>
> Key: LANG-1777
> URL: https://issues.apache.org/jira/browse/LANG-1777
> Project: Commons Lang
> Issue Type: Wish
> Components: lang.*
> Affects Versions: 3.18.0
> Reporter: Bence Hornák
> Priority: Critical
>
> Version 3.18.0 comes with many deprecations. Many of the most commonly used
> functions are now deprecated, which is breaking a lot of projects' CI:
> * {{StringUtils.equals()}} -> {{Strings.CS.equals()}}
> * {{StringUtils.startsWith()}} -> {{Strings.CS.startsWith()}}
> * {{StringUtils.endsWith()}} -> {{Strings.CS.endsWith()}}
> * {{StringUtils.contains()}} -> {{Strings.CS.contains()}}
> * {{StringUtils.replace()}} -> {{Strings.CS.replace()}}
> * {{StringUtils.indexOf()}} -> {{Strings.CS.indexOf()}}
> * {{StringUtils.remove(String, String)}} -> {{Strings.CS.remove()}}
> * {{StringUtils.compare(String, String)}} -> {{Strings.CS.compare()}}
> * {{StringUtils.equalsIgnoreCase()}} -> {{Strings.CI.equals()}}
> * {{StringUtils.startsWithIgnoreCase()}} -> {{Strings.CI.startsWith()}}
> * {{StringUtils.endsWithIgnoreCase()}} -> {{Strings.CI.endsWith()}}
> * {{StringUtils.containsIgnoreCase()}} -> {{Strings.CI.contains()}}
> * {{StringUtils.replaceIgnoreCase()}} -> {{Strings.CI.replace()}}
> * {{ObjectsUtils.defaultIfNull()}} -> god knows what
> * ...
> I find the value of these refactors really questionable. They require
> thousands of developers world-wide to update millions of places in code bases
> to follow the new best practices... for what? I would even say the new syntax
> is more confusing, because it might not be intuitive for all, what 'CI' and
> 'CS' stand for. Besides, the old static method calls have become virtual
> method calls, which come with a [considerable performance
> penalty|https://stackoverflow.com/a/28511095] for time-sensitive applications.
> The Apache commons libs are widely used due to their stability, meaning that
> once you refer a method from your code, you can keep using the function
> securely for decades to come.
> Timing-wise these breaking changes are quite critical, because
> [CVE-2025-48924|https://www.cve.org/CVERecord?id=CVE-2025-48924] has just
> been published, so a lot of users are forced to upgrade their projects from
> 3.x.x to 3.18.0 ASAP. One could argue that deprecations are not breaking
> changes, but for users, who are compiling with strict compiler flags (e.g.
> {{{}-Werror{}}}) they are.
> My recommendation is to:
> # Release 3.17.1 ASAP with a security fix
> [CVE-2025-48924|https://www.cve.org/CVERecord?id=CVE-2025-48924] to to allow
> users to upgrade to a secure version without the need to go through all these
> refactors
> # Reconsider these deprecations, and relax them to recommendations or just
> revert them altogether
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
