Thanks for you feedback, Andrew, it’s really valuable. Specific question for you: Are you using Jakarta EE module (shiro-jakarta-ee), or just shiro-web standalone?
We are still looking for more feedback, specifically for Spring / SpringBoot ecosystem, since lots of updates were made there. Thank you! > On May 2, 2026, at 2:41 AM, Andrew G10i <[email protected]> wrote: > > Hello, > > I tested this in my Jakarta 11 application, and a quick validation did not > reveal any issues. Basic login/logout flows and RunAs functionality all > worked as expected. I’m looking forward to the final release so I can switch > to it. > > Thank you! > > -- > Regards, > Andrew > From: [email protected] <[email protected]> > Sent: Friday, May 1, 2026 19:53 > To: [email protected] <[email protected]> > Subject: Last call for feedback - 3.x vs. 2.x and upcoming CVEs > > Hi, > > Apache Shiro team is looking for feedback for the next version of Shiro. > We are looking to release 3.x as a beta or final version. > Once 3.0.0 Final version is released, we are looking to deprecate 2.x. > > What this means to you: > We have received minor-to-medium-scoring security reports over the last > couple of months, and I am sure these won’t be the last. > These will be implemented in both 3.x and 2.x versions. However, once 3.x is > released, no more fixes will be done in 2.x and earlier. > Shiro team does not have the capacity to support both versions after this > year (2026) at the latest. > > We would like the next release to be 3.0 either beta or final, unless we have > significant feedback (and support) to the contrary. > > Thank you.
