Hi Oliver, What you point out is documented in the release notes [1] and the site's changes section [2].
Don't confuse binary compatibility (formally defined by the JLS and we follow) with "drop-in replacement" which can mean different things to different people. If you update the version of the dependency on your POM (or whatever dependency management tool you use), transitive dependencies should be automatically picked up. Gary [1] https://dlcdn.apache.org//commons/compress/RELEASE-NOTES.txt [2] https://commons.apache.org/proper/commons-compress/changes-report.html#a1.26.0 On Mon, Feb 19, 2024 at 9:27 AM Olivier Jaquemet <olivier.jaque...@jalios.com> wrote: > > Hello Gary, > > Thank you for this release. > > I'd like to point out to users of Commons Compress that this version > 1.26.0 introduce a *new* dependency to commons-codec (for which it uses > the latest 1.16.1). > > https://central.sonatype.com/artifact/org.apache.commons/commons-compress/dependencies > > So in case some of you were expecting to perform drop in replacement of > the commons-compress jar to benefit from vulnerbabilities fixes, beware > that you must also introduce new dependencies. (Using dependency > management tool would have included thoses dependency, so this is more > of a warning for people still doing old and ugly "jar pickup and drop" ;) ) > > And for more details, below are the dependencies that were introduced > (in case you want to update anyway, you probably could without addding > commons codec, if you are not using those features...) : > > org.apache.commons.compress.archivers.tar > --> org.apache.commons.codec.Charsets.toCharset(java.lang.String) * > org.apache.commons.compress.compressors.lz4 > --> org.apache.commons.codec.digest.XXHash32 * > --> org.apache.commons.codec.digest.XXHash32.XXHash32() * > --> org.apache.commons.codec.digest.XXHash32.XXHash32(int) * > --> org.apache.commons.codec.digest.XXHash32.getValue() * > --> org.apache.commons.codec.digest.XXHash32.reset() * > --> org.apache.commons.codec.digest.XXHash32.update(byte[], int, int) * > --> org.apache.commons.codec.digest.XXHash32.update(int) * > org.apache.commons.compress.compressors.snappy > --> org.apache.commons.codec.digest.PureJavaCrc32C * > --> org.apache.commons.codec.digest.PureJavaCrc32C.PureJavaCrc32C() * > --> org.apache.commons.codec.digest.PureJavaCrc32C.getValue() * > --> org.apache.commons.codec.digest.PureJavaCrc32C.reset() * > --> org.apache.commons.codec.digest.PureJavaCrc32C.update(byte[], > int, int) * > > Regards > > On 19/02/2024 02:28, Gary Gregory wrote: > > The Apache Commons team is pleased to announce Apache Compress 1.26.0. > > > > Apache Commons Compress defines an API for working with compression > > and archive formats. These include bzip2, gzip, pack200, LZMA, XZ, > > Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, > > Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj. > > > > This minor feature and maintenance release. > > > > Historical list of changes: > > https://commons.apache.org/proper/commons-compress/changes-report.html > > > > For complete information on Apache Commons Compress, including > > instructions on how to submit bug reports, patches, or suggestions for > > improvement, see the Apache Commons Compress website: > > > > https://commons.apache.org/proper/commons-compress/ > > > > Download page: > > https://commons.apache.org/proper/commons-compress/download_io.cgi > > > > Have fun! > > Gary Gregory > > -Apache Commons Team > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: user-unsubscr...@commons.apache.org > > For additional commands, e-mail: user-h...@commons.apache.org > > EXTERNAL SENDER: Do not click any links or open any attachments unless you > > trust the sender and know the content is safe. > > EXPÉDITEUR EXTERNE: Ne cliquez sur aucun lien et n’ouvrez aucune pièce > > jointe à moins qu’ils ne proviennent d’un expéditeur fiable, ou que vous > > ayez l'assurance que le contenu provient d'une source sûre. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@commons.apache.org > For additional commands, e-mail: user-h...@commons.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@commons.apache.org For additional commands, e-mail: user-h...@commons.apache.org
