abhu85 opened a new pull request, #2631: URL: https://github.com/apache/shiro/pull/2631
## Summary - Replace vulnerable commons-collections 3.2.2 with commons-collections4 4.5.0 - Exclude commons-collections 3.x transitive dependency from commons-beanutils - Update OSGi features.xml bundles to use commons-collections4 ## Security Issue commons-collections 3.2.2 has vulnerability sonatype-2024-3350 (CVSS 8.7). This change migrates to commons-collections4 4.5.0 which has no known vulnerabilities. ## Changes | File | Change | |------|--------| | `pom.xml` | Add `commons.collections4.version` property, exclude commons-collections from beanutils, add commons-collections4 dependency | | `config/ogdl/pom.xml` | Add explicit commons-collections4 dependency | | `support/guice/pom.xml` | Add explicit commons-collections4 dependency | | `support/features/pom.xml` | Remove obsolete `commons.collections.version` property | | `support/features/src/main/resources/features.xml` | Update bundle references to use commons-collections4 | ## Safety Analysis This change is safe because: 1. **No direct usage**: Shiro does not directly import `org.apache.commons.collections` classes 2. **Compatibility**: commons-beanutils 1.11.0 supports commons-collections4 when present on classpath 3. **No code changes**: Only POM/OSGi configuration changes required ## Test Plan - [x] Dependency tree shows commons-collections4 instead of 3.x - [x] No commons-collections 3.x in transitive dependencies - [ ] Full test suite passes (requires Maven 3.9+) ## Compatibility - No breaking changes to API - No changes to runtime behavior - OSGi users will get commons-collections4 bundles instead of 3.x 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
