#153 Upgrade commons-collection to 4.4

[Michał Piątkowski]

Opencsv in version 5.6 is using Apache Commons Collections 3.2.2. According to https://advisory.checkmarx.net/advisory/vulnerability/Cx78f40514-81ff/ all version before 4.3 have uncontrolled recursion vulnerability.

Also this version of Apache Commons Collection is 7 years old.

Can this library be updated in official version?

Please note: the package name was changed to org.apache.commons:commons-collections4 on version 4.0

[Andrew Rucker Jones]

We do, in fact, use Commons Collections 4.4 and have for a while:
https://sourceforge.net/p/opencsv/source/ci/master/tree/pom.xml
The older version of Collections is included in the build because the latest version of Apache's own BeanUtils still uses it.

[Scott Conway]

commons-collections is a transitive dependency of commons-beanutils:commons-beanutils and because commons-collections4 is not compatible with commons-collections we cannot exclude commons-collections from beanutils. Trust me we tried. There is a commons-beanutils2 that has been in development for years that uses commons-collections and when it has been released we can upgrade.

[Jakub Skibiak]

hi, since https://mvnrepository.com/artifact/org.apache.commons/commons-beanutils2 has been released, can we consider getting rid of commons-collections4?