On 14/11/2025 16:49, Vladimir Sitnikov wrote:
What I say is that the mere fact that commons-lang3 dropping Java support in minor releases makes a perfect case to create the policy of restricting the minor upgrades.
Minor releases drop support for EOLed Java versions only, and with a fair margin. For example Commons Lang 3.8.1 was released 3 years after Java 7 EOL. That's part of what I call doing our homework and being conservative. Folks still running on EOLed Java versions today have much more problems than just CVE-2025-48924, that's a self inflicted pain they have to deal with (and pay for), not us.
I'm leaning towards that Java version requirements should be lifted in major versions, not minor ones.
That's difficult when the version number is hard coded in the artifact name ;)
Emmanuel Bourg --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
