On Tue, Jun 2, 2026, 15:55 Oleg Kalnichevski <[email protected]> wrote:
> On Tue, 2026-06-02 at 15:33 -0400, Gary Gregory wrote: > > On Tue, Jun 2, 2026 at 3:18 PM Oleg Kalnichevski <[email protected]> > > wrote: > > > > > > Folks > > > > > > I think it is time to officially declare HttpClient 4.x at the end > > > of > > > life and discontinue its support. > > > > > > Does anyone see any good reason to keep it supported? > > > > I'm OK to keep supporting it, as it still lives deep in some of my > > transitive dependencies. > > > > Would you be willing to be the release manager for the 4.5.x branch? > Yes, absolutely. > > > I would even consider adding a toggle to all versions that says: > > "Even > > though I've added a header manually, I don't want it magically > > forwarded on any redirect-type of operation. Maybe there's 2 APIs: > > add > > short vs. long lived header. > > > > I doubt we need such a toggle or two types of APIs given we have > request / exec interceptors. > > > This comes up so often as a security issue, that I wish we could > > force > > users to call a "I know what I'm doing" API because adding a plain > > old > > header seems like normal behavior for these folks. > > > > The problem is our poor documentation and overabundance of "security > professionals". > Don't I know it! And now we have the equivalent of script kiddies armed with AI and ignorance. Gary > Oleg > > > > 2c, > > Gary > > > > > > > > Oleg > > > > > > ------------------------------------------------------------------- > > > -- > > > To unsubscribe, e-mail: [email protected] > > > For additional commands, e-mail: [email protected] > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
