Skip to content

Exclude commons-collections from dependencies #4689

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
lhotari merged 5 commits into from
Nov 28, 2025
Merged

Exclude commons-collections from dependencies #4689

lhotari merged 5 commits into from
Nov 28, 2025
+7 −7

Conversation

@lhotari
Copy link
Member

@lhotari lhotari commented Nov 27, 2025
edited
Loading

Motivation

commons-collections is marked to be vulnerable in Sonatype with identifier sonatype-2024-3350, although no public CVE exists for commons-collections 3.3.2 . Issue is https://issues.apache.org/jira/browse/COLLECTIONS-701 .
Since the dependency seems to be unnecessary, it's better to exclude it completely.

Changes

  • exclude commons-collections from the transitive dependencies of commons-beanutils
    • commons-collections is an optional dependency of commons-beanutils
  • upgrade hadoop version to 3.4.2 which replaces commons-collections with commons-collections4

In order to uphold a high standard for quality for code contributions, Apache BookKeeper runs various precommit
checks for pull requests. A pull request can only be merged when it passes precommit checks.

Be sure to do all the following to help us incorporate your contribution
quickly and easily:

If this PR is a BookKeeper Proposal (BP):

  • Make sure the PR title is formatted like:
    <BP-#>: Description of bookkeeper proposal
    e.g. BP-1: 64 bits ledger is support
  • Attach the master issue link in the description of this PR.
  • Attach the google doc link if the BP is written in Google Doc.

Otherwise:

  • Make sure the PR title is formatted like:
    <Issue #>: Description of pull request
    e.g. Issue 123: Description ...
  • Make sure tests pass via mvn clean apache-rat:check install spotbugs:check.
  • Replace <Issue #> in the title with the actual Issue number.

@lhotari lhotari mentioned this pull request Nov 27, 2025
Closed
@lhotari lhotari self-assigned this Nov 27, 2025
@lhotari lhotari added the dependencies Pull requests that update a dependency file label Nov 27, 2025
@lhotari lhotari added this to the 4.18.0 milestone Nov 27, 2025
@lhotari lhotari merged commit a369fe7 into apache:master Nov 28, 2025
38 of 42 checks passed
lhotari added a commit that referenced this pull request Nov 28, 2025
@lhotari
Exclude commons-collections from dependencies (#4689)
d95cf46 
* [fix] Exclude optional commons-collections dependency from commons-beanutils

* Update license files

* Upgrade hadoop to 3.4.2 version

(cherry picked from commit a369fe7)
priyanshu-ctds pushed a commit to datastax/bookkeeper that referenced this pull request Dec 2, 2025
@lhotari @priyanshu-ctds
Exclude commons-collections from dependencies (apache#4689)
33f5338 
* [fix] Exclude optional commons-collections dependency from commons-beanutils

* Update license files

* Upgrade hadoop to 3.4.2 version

(cherry picked from commit a369fe7)
(cherry picked from commit d95cf46)
srinath-ctds pushed a commit to datastax/bookkeeper that referenced this pull request Dec 4, 2025
@lhotari @srinath-ctds
Exclude commons-collections from dependencies (apache#4689)
b25763b 
* [fix] Exclude optional commons-collections dependency from commons-beanutils

* Update license files

* Upgrade hadoop to 3.4.2 version

(cherry picked from commit a369fe7)
(cherry picked from commit d95cf46)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@merlimat merlimat merlimat approved these changes

@hangc0276 hangc0276 Awaiting requested review from hangc0276

Assignees

@lhotari lhotari

Labels

cherry-picked/branch-4.17 dependencies Pull requests that update a dependency file release/4.17.3

Projects

None yet

Milestone

4.18.0

Development

Successfully merging this pull request may close these issues.

2 participants

@lhotari @merlimat