Hello, I tested this in my Jakarta 11 application, and a quick validation did not reveal any issues. Basic login/logout flows and RunAs functionality all worked as expected. I’m looking forward to the final release so I can switch to it.
Thank you! -- Regards, Andrew ________________________________ From: [email protected] <[email protected]> Sent: Friday, May 1, 2026 19:53 To: [email protected] <[email protected]> Subject: Last call for feedback - 3.x vs. 2.x and upcoming CVEs Hi, Apache Shiro team is looking for feedback for the next version of Shiro. We are looking to release 3.x as a beta or final version. Once 3.0.0 Final version is released, we are looking to deprecate 2.x. What this means to you: We have received minor-to-medium-scoring security reports over the last couple of months, and I am sure these won’t be the last. These will be implemented in both 3.x and 2.x versions. However, once 3.x is released, no more fixes will be done in 2.x and earlier. Shiro team does not have the capacity to support both versions after this year (2026) at the latest. We would like the next release to be 3.0 either beta or final, unless we have significant feedback (and support) to the contrary. Thank you.
