On Wed, Jul 30, 2025 at 10:30 AM 'Winter, Markus' via Jenkins Developers <[email protected]> wrote: > > And given the almost 300 plugins that use commons-lang I think once json-lib > is fixed we can remove it from core and have the commons-lang-api plugin as > an implied dependency.
An implied dependency could work, but those tend to stick around a lot longer and are more difficult to reason about and debug. For example, I can foresee complaints (like ones we've had before) that a hypothetical detached Commons Lang 2 plugin keeps getting installed even after users remove it simply because they happened to install a new plugin with an older baseline. Cleaner and simpler to remove the dependency after migrating plugins, particularly given that its presence on the classpath trips up security scanners. When looking at plugins, I see two major categories: plugins that use Commons Lang extensively (which can be migrated to version 3) and plugins that use it only in a handful of places for extremely basic functionality (e.g., checking if some string is null or empty, which can easily be migrated to standard Java Platform functionality). Doing a sweep of the ecosystem might be more work in the short term, but in the long term it leaves the code in a better state and gets us more quickly to a state where security scanners stop complaining about our classpath. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/jenkinsci-dev/CAFwNDjpHFRW_sgeP9T%3DUba1g-gOuvB%3D7%3Db_0BDtysWjRS1Ya0A%40mail.gmail.com.
