commons-collections transitive dependency in opencsv:5.10

Brought to you by: aruckerjones, sconway

#170 commons-collections transitive dependency in opencsv:5.10

Milestone: Next Release (example)

Status: open

Owner: Scott Conway

Labels: commons-collections (1)

Priority: 6

Updated: 2025-09-11

Created: 2025-03-05

Creator: Kiran Velumuri

Private: No

There is transitive dependency on commons-collections:3.2.2 in opencsv:5.10 from commons-beanutils:1.9.4. Due to commons-collections:3.2.2 being EOL, there are security vulnerabiilties(sonatype-2024-3350) for the same.

This ticket is to track when the new release of opencsv would not contain the vulnerable commons-collections:3.2.2 by upgrading th commons-beanutils dependency.

Discussion

CHU Minh Toan - 2025-09-05

Hello, do you think there will be a next release soon to solve this vulnerability? Thanks

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

CHU Minh Toan - 2025-09-05

Hi, here is my pull request for this update :
https://sourceforge.net/p/toan-opencsv/code/ci/updat_to_use_commons-beanutils2/tree/

https://toan@git.code.sf.net/p/toan-opencsv/code updat_to_use_commons-beanutils2

for you to fetch changes up to 75fce13c4ffb0d80c94c54fd9f253f65a02b899f:

Update to use commons-beanutils2 (2025-09-05 19:30:19 +0200)

Toan Chu (1):
Update to use commons-beanutils2

pom.xml | 8 ++++----
src/main/java/com/opencsv/bean/ConverterPrimitiveTypes.java | 8 ++++----
.../bean/customconverter/ConverterLanguageToBoolean.java | 6 +++---
src/main/java9/module-info.java | 2 +-
src/test/java/com/opencsv/bean/AnnotationTest.java | 2 +-
src/test/java/com/opencsv/bean/CollectionSplitTest.java | 2 +-
.../java/com/opencsv/bean/mocks/split/UnknownElementType.java | 10 +++++-----
src/test/java/integrationTest/Bug258/BeanUtilsBeanTest.java | 4 ++--
8 files changed, 21 insertions(+), 21 deletions(-)

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Scott Conway - 2025-09-07

assigned_to: Scott Conway
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Scott Conway - 2025-09-07

Hello Kiran

First off thanks for the work - I will try and remember your merge when there is a production release of commons-beanutils2.

But until there is a production release I am not going to make the change. M2 is a Milestone version - meaning it is potentially feature incomplete, not even a Release Candidate (RC).

I have been burned in other projects using non production versions in projects I have worked on so I do everything in my power to not rely on non production versions in my final releases. They are like snapshot versions - it is good to see what is coming and what you may need to change, which is why I cam glad to see your merge because you have done most of that legwork, but you cannot count on it to stay the same between the non-production and production release versions.

Sincerely

Scott Conway :)

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

CHU Minh Toan - 2025-09-11

Hello Scott,

Thank you for your information. Hope we will have a production release of commons-beanutils2 soon for this to be merged.

Sincerely,
CHU Minh Toan

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.