https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt says
The 1.4 release removes serialization from DiskFileItem for security > reasons, which could be a > breaking change depending upon one's mechanism of consumption of > commons-fileupload. which sounds like it would break normal usage from Jenkins. At least I found the need to whitelist it for JEP-200 and the comment in `FileParameterValue` suggests that this is critical. Perhaps these comments are obsolete, I am not sure, but you would need to check various scenarios involving file uploads and Jenkins restarts. https://github.com/jenkinsci/file-parameters-plugin uses `FileItem` but only transiently, not in a serialized field, so it should be unaffected. Certainly it would be desirable to use an unforked upstream release if this can be done compatibly, or if whatever idioms would be broken are sought out and proactively corrected. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr1gpG6w5Y6O%2BT4mfX%3DsO41Lg%2BSfrSoPsM2u6V%3DEeUQLnw%40mail.gmail.com.
