I'm moving this into a separate thread to make the discussion easier. With the current state of the xss module, we would break every consumer and require her to upgrade code (release their own modules depending on XSS etc). As xss is pretty popular, this means a high burden on our downstream users.
I think we have these options: 1) Pass on the pain to our users, simply release as 2.0.0 and require everyone to upgrade 2) Release the new api as 2.0 under a different symbolic name allowing our users to have new and old side by side. In that case we would need to deprecate 1.x and users should upgrade over time. 3) Best effort: we release as 1.x and know that this is an incompatible change. This will only break users of the old JSONUtil, everyone else runs without any problems. Unfortunately if others are using the util, this will only be detected at runtime. Are the other/better options? I think we should definitely not do 1) Carsten -- Carsten Ziegeler Adobe Research Switzerland cziege...@apache.org