[
https://issues.apache.org/jira/browse/LANG-1777?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18007569#comment-18007569
]
Bence Hornák commented on LANG-1777:
------------------------------------
[~erans] I've sent an email some minutes ago, but it hasn't appeared on the
mailing list's web interface. Could you check, if I did something wrong?
!image-2025-07-16-15-55-56-182.png!
> Revert deprecations of 3.18.0
> -----------------------------
>
> Key: LANG-1777
> URL: https://issues.apache.org/jira/browse/LANG-1777
> Project: Commons Lang
> Issue Type: Wish
> Components: lang.*
> Affects Versions: 3.18.0
> Reporter: Bence Hornák
> Priority: Critical
> Attachments: image-2025-07-16-15-55-56-182.png
>
>
> Version 3.18.0 comes with many deprecations. Many of the most commonly used
> functions are now deprecated, which is breaking a lot of projects' CI:
> * {{StringUtils.equals()}} -> {{Strings.CS.equals()}}
> * {{StringUtils.startsWith()}} -> {{Strings.CS.startsWith()}}
> * {{StringUtils.endsWith()}} -> {{Strings.CS.endsWith()}}
> * {{StringUtils.contains()}} -> {{Strings.CS.contains()}}
> * {{StringUtils.replace()}} -> {{Strings.CS.replace()}}
> * {{StringUtils.indexOf()}} -> {{Strings.CS.indexOf()}}
> * {{StringUtils.remove(String, String)}} -> {{Strings.CS.remove()}}
> * {{StringUtils.compare(String, String)}} -> {{Strings.CS.compare()}}
> * {{StringUtils.equalsIgnoreCase()}} -> {{Strings.CI.equals()}}
> * {{StringUtils.startsWithIgnoreCase()}} -> {{Strings.CI.startsWith()}}
> * {{StringUtils.endsWithIgnoreCase()}} -> {{Strings.CI.endsWith()}}
> * {{StringUtils.containsIgnoreCase()}} -> {{Strings.CI.contains()}}
> * {{StringUtils.replaceIgnoreCase()}} -> {{Strings.CI.replace()}}
> * {{ObjectsUtils.defaultIfNull()}} -> god knows what
> * ...
> I find the value of these refactors really questionable. They require
> thousands of developers world-wide to update millions of places in code bases
> to follow the new best practices... for what? I would even say the new syntax
> is more confusing, because it might not be intuitive for all, what 'CI' and
> 'CS' stand for. Besides, the old static method calls have become virtual
> method calls, which come with a [considerable performance
> penalty|https://stackoverflow.com/a/28511095] for time-sensitive applications.
> The Apache commons libs are widely used due to their stability, meaning that
> once you refer a method from your code, you can keep using the function
> securely for decades to come.
> Timing-wise these breaking changes are quite critical, because
> [CVE-2025-48924|https://www.cve.org/CVERecord?id=CVE-2025-48924] has just
> been published, so a lot of users are forced to upgrade their projects from
> 3.x.x to 3.18.0 ASAP. One could argue that deprecations are not breaking
> changes, but for users, who are compiling with strict compiler flags (e.g.
> {{{}-Werror{}}}) they are.
> My recommendation is to:
> # Release 3.17.1 ASAP with a security fix
> [CVE-2025-48924|https://www.cve.org/CVERecord?id=CVE-2025-48924] to to allow
> users to upgrade to a secure version without the need to go through all these
> refactors
> # Reconsider these deprecations, and relax them to recommendations or just
> revert them altogether
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
