[RESULT][LAZY][VOTE] Release Apache Commons Parent 84 based on RC1

2025-05-20 Thread Gary Gregory 
This lazy vote thread passes with the following binding +1 votes:

- Gary Gregory (ggregory)
- Alex Herbert (aherbert)

TY!
Gary

On Fri, May 16, 2025 at 8:18 AM Gary Gregory  wrote:

> We have picked up a few bug fixes since Apache Commons Parent 83 was
> released, so I would like to release Apache Commons Parent 84.
>
> Apache Commons Parent 84 RC1 is available for review here:
> https://dist.apache.org/repos/dist/dev/commons/parent/84-RC1 (svn
> revision 76860)
>
> The Git tag commons-parent-84-RC1 commit for this RC is
> 65e45324cb451ff202db4f9863289cdc0f4b9ce6 which you can browse here:
>
> https://gitbox.apache.org/repos/asf?p=commons-parent.git;a=commit;h=65e45324cb451ff202db4f9863289cdc0f4b9ce6
> You may checkout this tag using:
> git clone https://gitbox.apache.org/repos/asf/commons-parent.git
> --branch commons-parent-84-RC1 commons-parent-84-RC1
>
> Maven artifacts are here:
>
> https://repository.apache.org/content/repositories/orgapachecommons-1835/org/apache/commons/commons-parent/84/
>
> These are the artifacts and their hashes:
>
> #Release SHA-512s
> #Fri May 16 12:11:39 UTC 2025
>
> commons-parent-84-bom.json=9ca5ef800968c963c6e5b080c795782d7b2611a05e6bc4780a9470ce10bc2a36853ca1a0b281c672f44bba6ad501dee55d9a467a32bcc9ca20625e46db8f2a0b
>
> commons-parent-84-bom.xml=549a6381aac9088b386634c4d9c70254d76c51184591e3682464bec5c5e8962021d307ddee5467b11f02808882bac2596abdb0f29baa3d7a2a747bf097f806bf
>
> commons-parent-84-site.xml=07c3de38227fd28664777636162d583dc0cb5061c8133f827023ca3188b641a53ee2aed1192a8842f76071b2db8c5aeef7d4c58457c8688c89d577ae23d51a86
>
> commons-parent-84-src.tar.gz=75536b27321df8a86d180fcf22dab91eaedcad5ed9c1e64b57868a98022769c6a54dc3d814d07b24fb246a120f3c0116732de0bc2b4c4a2904552abcebedb95e
>
> commons-parent-84-src.zip=2ff821e447980f4cb7e9a2b6bec390e2bb5c57327f94f148d890532c3179808dda0ebcf2fb1c981ea6414965d42ec8699536c0ce404cf97786b9e3a6a325b68d
>
> org.apache.commons_commons-parent-84.spdx.json=f37284ea946e0bc03c177000dae7a9c2461d2d25e8ec7cea01f45c6a9250b4894fb1bd2b0144ae5fede98272e10940f948437ba37deaa86d6b4f4a3bfc1f8400
>
> I have tested this with 'mvn' and 'mvn -e -V -P release -P test-deploy
> clean package site deploy' using:
>
> openjdk version "21.0.7" 2025-04-15
> OpenJDK Runtime Environment Homebrew (build 21.0.7)
> OpenJDK 64-Bit Server VM Homebrew (build 21.0.7, mixed mode, sharing)
>
> Apache Maven 3.9.9 (8e8579a9e76f7d015ee5ec7bfcdc97d260186937)
> Maven home: /opt/homebrew/Cellar/maven/3.9.9/libexec
> Java version: 21.0.7, vendor: Homebrew, runtime:
> /opt/homebrew/Cellar/openjdk@21/21.0.7/libexec/openjdk.jdk/Contents/Home
> Default locale: en_US, platform encoding: UTF-8
> OS name: "mac os x", version: "15.5", arch: "aarch64", family: "mac"
>
> Darwin  24.5.0 Darwin Kernel Version 24.5.0: Tue Apr 22 19:53:27 PDT
> 2025; root:xnu-11417.121.6~2/RELEASE_ARM64_T6041 arm64
>
> Docker version 28.0.4, build b8034c0
>
> Details of changes since 83 are in the release notes:
>
> https://dist.apache.org/repos/dist/dev/commons/parent/84-RC1/RELEASE-NOTES.txt
>
> https://dist.apache.org/repos/dist/dev/commons/parent/84-RC1/site/changes.html
>
> Site:
>
> https://dist.apache.org/repos/dist/dev/commons/parent/84-RC1/site/index.html
> (note some *relative* links are broken and the 84 directories are not
> yet created - these will be OK once the site is deployed.)
>
> JApiCmp Report (compared to 83):
>
> https://dist.apache.org/repos/dist/dev/commons/parent/84-RC1/site/japicmp.html
> There is no repoirt since this is not a Java JAR module.
>
> RAT Report:
>
> https://dist.apache.org/repos/dist/dev/commons/parent/84-RC1/site/rat-report.html
>
> KEYS:
>   https://downloads.apache.org/commons/KEYS
>
> Please review the release candidate and vote.
> This vote will close no sooner than 72 hours from now.
>
>   [ ] +1 Release these artifacts
>   [ ] +0 OK, but...
>   [ ] -0 OK, but really should fix...
>   [ ] -1 I oppose this release because...
>
> Thank you,
>
> Gary Gregory,
> Release Manager (using key 86fdc7e2a11262cb)
>
> The following is intended as a helper and refresher for reviewers.
>
> Validating a release candidate
> ==
>
> These guidelines are NOT complete.
>
> Requirements: Git, Java, and Maven.
>
> You can validate a release from a release candidate (RC) tag as follows.
>
> 1a) Download and decompress the source archive from:
>
> https://dist.apache.org/repos/dist/dev/commons/parent/84-RC1/source
>
> 1b) Check out the RC tag from git (optional)
>
> This is optional, as a reviewer must check source distributions as a
> minimum.
>
> git clone https://gitbox.apache.org/repos/asf/commons-parent.git --branch
> commons-parent-84-RC1 commons-parent-84-RC1
> cd commons-parent-84-RC1
>
> 2) Checking the build
>
> All components should include a default Maven goal, such that you can run
> 'mvn' from the command line by itself.
>
> 2) Check Apache licenses
>
> This step is not required if the site includes a RAT report page which y

[beanutils2] Question about the official final 2.0.0 release timeline

2025-05-20 Thread Zach Dove 
Hello,

I’d like to ask about the plans for an official release of BeanUtils2 (2.0.0 
final). We are tracking this for our migration to Java 21 and JasperReports 7.

The milestone releases (2.0.0-M1) are helpful, but is there a timeline or 
roadmap for a stable, non-milestone release?
I'm referencing from 
https://commons.apache.org/proper/commons-beanutils/changes.html .

Mitigation for https://issues.apache.org/jira/browse/BEANUTILS-532 looks a 
release was made through 'melloware' group as a non-Apache alternative to swap 
2.0.0-M1 to 2.0.0.
I've followed up with melloware on the issue of 
https://github.com/Jaspersoft/jasperreports/issues/260


Currently the lack of a vision for an official final release of BeanUtils2 
remains a concerning blocker for our migration of our software suite from Java 
11 to Java 21 and a blocker for continuing with Jasper Reports 7.


In addition, https://github.com/apache/commons-beanutils/security does not 
contain any disclaimer disregarding a continuous concern within the community 
for "security issue" Cx78f40514-81ff / sonatype-2024-3350 / COLLECTIONS-701,  
revolving around the concerns of the changes made in commons-collections4, 4.2,
Https://github.com/apache/commons-collections/commit/1979a6e31067a18c9ede59ad4518f738512eba82#diff-8e53271d5d8299a76d43b0e3c81740fbe660083ae71c5bf2be63846d52156f23

I took the time to look through the dependencies in commons-beanutils,  
commons-beanutils2, commons-digester, collections 3.2 / commons-collections4 
and was unable to find SetUniqueList being used across these components that 
directly impacts commons-beanutils functionality & security.


In short, could you please advise / response on:
- The expected timeline or requirements for a stable/final BeanUtils2 2.0.0 
release?
- Whether there are any remaining blockers or areas where the community can 
assist?
- Any official position on the referenced security concern in beanutils 
1.9.x-1.10.x, given the current dependency structure?

Best,

Zach Dove,  Software Developer, D2, Store Transactions
P 828.265.2907 | www.ecrs.com

[cid:9f9efc75-29d6-4cf4-a11b-f8ae433af242]

[cid:a566bae0-bc78-4a6c-b57f-9aa985252cd0]  
[cid:37c2ecb4-36a0-4f39-97ab-c18a15b39e30]    
[cid:a1c7d70d-a4b1-4820-a229-585c8aab2fba]    
[cid:2d01f5f2-4d44-4c7e-b497-621da489b579] 

[cid:02657695-98a9-4366-8f73-f0c5b7292c47]

[cid:ff2d9747-ebed-496d-9a8d-63fa65477b03]

Re: [beanutils2] Question about the official final 2.0.0 release timeline

2025-05-20 Thread Melloware Inc 
I +1 this vote for an official BeanUtils 2.0.0 release. I am using it in
Production as M1 for months now without issue.

On Tue, May 20, 2025 at 10:47 AM Zach Dove  wrote:

> Hello,
>
> I’d like to ask about the plans for an official release of BeanUtils2
> (2.0.0 final). We are tracking this for our migration to Java 21 and
> JasperReports 7.
>
> The milestone releases (2.0.0-M1) are helpful, but is there a timeline or
> roadmap for a stable, non-milestone release?
> I'm referencing from 
> *https://commons.apache.org/proper/commons-beanutils/changes.html
> * .
>
> Mitigation for https://issues.apache.org/jira/browse/BEANUTILS-532 looks
> a release was made through 'melloware' group as a non-Apache alternative to
> swap 2.0.0-M1 to 2.0.0.
> I've followed up with melloware on the issue of
> https://github.com/Jaspersoft/jasperreports/issues/260
>
>
> Currently the lack of a vision for an official final release of BeanUtils2
> remains a concerning blocker for our migration of our software suite from
> Java 11 to Java 21 and a blocker for continuing with Jasper Reports 7.
>
>
> In addition, https://github.com/apache/commons-beanutils/security does
> not contain any disclaimer disregarding a continuous concern within the
> community for "security issue" Cx78f40514-81ff / sonatype-2024-3350 /
> COLLECTIONS-701,  revolving around the concerns of the changes made in
> commons-collections4, 4.2,
>
> Https://github.com/apache/commons-collections/commit/1979a6e31067a18c9ede59ad4518f738512eba82#diff-8e53271d5d8299a76d43b0e3c81740fbe660083ae71c5bf2be63846d52156f23
> 
>
>
> I took the time to look through the dependencies in commons-beanutils,
>  commons-beanutils2, commons-digester, collections 3.2 /
> commons-collections4 and was unable to find SetUniqueList being used
> across these components that directly impacts commons-beanutils
> functionality & security.
>
>
> In short, could you please advise / response on:
> - The expected timeline or requirements for a stable/final BeanUtils2
> 2.0.0 release?
> - Whether there are any remaining blockers or areas where the community
> can assist?
> - Any official position on the referenced security concern in beanutils
> 1.9.x-1.10.x, given the current dependency structure?
>
> Best,
>
> *Zach Dove,*  Software Developer, D2, Store Transactions
> *P* 828.265.2907* | ** www.ecrs.com
> *
>
> *  ** *
>
> * *  * *  *
> *  * *
>
> * *
>
> * *
>
>

-- 
==
Melloware
melloware...@gmail.com
http://melloware.com
==

Re: (commons-text) 03/04: Interface TextRandomProvider extends IntUnaryOperator

2025-05-20 Thread Gary Gregory 
On Tue, May 20, 2025 at 11:48 AM Alex Herbert 
wrote:

> This change breaks the code example on how to use the class, see below:
>
> On Tue, 20 May 2025 at 15:51,  wrote:
>
> > This is an automated email from the ASF dual-hosted git repository.
> >
> > ggregory pushed a commit to branch master
> > in repository https://gitbox.apache.org/repos/asf/commons-text.git
> >
> > commit 98aae9ada74f51b52dbcf41c7ad46452721a6ffe
> > Author: Gary Gregory 
> > AuthorDate: Tue May 20 10:49:31 2025 -0400
> >
> > Interface TextRandomProvider extends IntUnaryOperator
> > ---
> >  src/changes/changes.xml|  1 +
> >  .../apache/commons/text/RandomStringGenerator.java |  4 +--
> >  .../apache/commons/text/TextRandomProvider.java| 34
> > +-
> >  3 files changed, 29 insertions(+), 10 deletions(-)
> >
> > diff --git a/src/changes/changes.xml b/src/changes/changes.xml
> > index b5824ded..69c3ce3f 100644
> > --- a/src/changes/changes.xml
> > +++ b/src/changes/changes.xml
> > @@ -49,6 +49,7 @@ The  type attribute can be
> add,update,fix,remove.
> >  
> >  
> >  Interface
> > StringLookup now extends UnaryOperator.
> > +Interface
> > TextRandomProvider extends IntUnaryOperator.
> >  
> >  Bump org.apache.commons:commons-parent from 81 to 84
> #668.
> >  Bump
> > commons-io:commons-io from 2.18.0 to 2.19.0.
> > diff --git
> > a/src/main/java/org/apache/commons/text/RandomStringGenerator.java
> > b/src/main/java/org/apache/commons/text/RandomStringGenerator.java
> > index df3f3938..4a999649 100644
> > --- a/src/main/java/org/apache/commons/text/RandomStringGenerator.java
> > +++ b/src/main/java/org/apache/commons/text/RandomStringGenerator.java
> > @@ -459,7 +459,7 @@ public final class RandomStringGenerator {
> >   */
> >  private int generateRandomNumber(final int minInclusive, final int
> > maxInclusive) {
> >  if (random != null) {
> > -return random.nextInt(maxInclusive - minInclusive + 1) +
> > minInclusive;
> > +return random.applyAsInt(maxInclusive - minInclusive + 1) +
> > minInclusive;
> >  }
> >  return ThreadLocalRandom.current().nextInt(minInclusive,
> > maxInclusive + 1);
> >  }
> > @@ -474,7 +474,7 @@ public final class RandomStringGenerator {
> >  private int generateRandomNumber(final List
> characterList)
> > {
> >  final int listSize = characterList.size();
> >  if (random != null) {
> > -return
> >
> String.valueOf(characterList.get(random.nextInt(listSize))).codePointAt(0);
> > +return
> >
> String.valueOf(characterList.get(random.applyAsInt(listSize))).codePointAt(0);
> >  }
> >  return
> > String.valueOf(characterList.get(ThreadLocalRandom.current().nextInt(0,
> > listSize))).codePointAt(0);
> >  }
> > diff --git
> a/src/main/java/org/apache/commons/text/TextRandomProvider.java
> > b/src/main/java/org/apache/commons/text/TextRandomProvider.java
> > index 0190d9cb..23ba9173 100644
> > --- a/src/main/java/org/apache/commons/text/TextRandomProvider.java
> > +++ b/src/main/java/org/apache/commons/text/TextRandomProvider.java
> > @@ -16,6 +16,8 @@
> >   */
> >  package org.apache.commons.text;
> >
> > +import java.util.function.IntUnaryOperator;
> > +
> >  /**
> >   * TextRandomProvider implementations are used by {@link
> > RandomStringGenerator}
> >   * as a source of randomness.  It is highly recommended that the
> > @@ -23,27 +25,43 @@ package org.apache.commons.text;
> >   * library be used to provide the random number generation.
> >   *
> >   * 
> > - * When using Java 8 or later, TextRandomProvider is a functional
> > interface and
> > - * need not be explicitly implemented.  For example:
> > + * {@code TextRandomProvider} is a functional interface and need not be
> > explicitly implemented.
> > + * 
> > + * 
> > + * For example:
> >   * 
> >   * 
> >   * {@code
> >   * UniformRandomProvider rng = RandomSource.create(...);
> >   * RandomStringGenerator gen = RandomStringGenerator.builder()
> > - * .usingRandom(rng::nextInt)
> > + * .usingRandom(rng::applyAsInt)
> >
>
> This is not a valid example. The UniformRandomProvider interface does not
> have a 'applyAsInt' method, so the code would not compile.
>

I fixed the Javadoc in git master. TY!

Gary

>
>
>
> >   * // additional builder calls as needed
> >   * .build();
> >   * }
> >   * 
> >   * @since 1.1
> >   */
> > -public interface TextRandomProvider {
> > +public interface TextRandomProvider extends IntUnaryOperator {
> > +
> > +/**
> > + * Generates an int value between 0 (inclusive) and the specified
> > value (exclusive).
> > + *
> > + * @param max Bound on the random number to be returned. Must be
> > positive.
> > + * @return a random int value between 0 (inclusive) and max
> > (exclusive).
> > + * @since 1.14.0
> > + */
> > +@Override
> > +default int applyAsInt(final int max) {
> > +

Re: [beanutils2] Question about the official final 2.0.0 release timeline

2025-05-20 Thread Gary Gregory 
Hi Zach,

There is no official or unofficial release date yet because I would like to
get more community feedback before we set the API in stone for 2.0.0.

It would be painful if your port from 1.x to 2.x revealed issues requiring
API changes that we couldn't make until 3.x. Would you use 2.0.0-M1 and
report your findings?

> blocker for our migration of our software suite from Java 11 to Java 21

I'm not sure what this has to do with BU as BU 1.x and 2.x are both tested
against all Java LTS versions: 8, 11, 17, 21 (See GitHub).

Issue https://issues.apache.org/jira/browse/BEANUTILS-532 is handled in
2.0.0-M1.

WRT COLLECTIONS-701 (
https://github.com/apache/commons-collections/commit/1979a6e31067a18c9ede59ad4518f738512eba82#diff-8e53271d5d8299a76d43b0e3c81740fbe660083ae71c5bf2be63846d52156f23),
this can only happen due to a programming error, and was fixed in 4.3.

> The expected timeline or requirements for a stable/final BeanUtils2 2.0.0
release?

See above, in brief, please port to 2.0.0-M1.

> Whether there are any remaining blockers or areas where the community can
assist?

- Testing 2.0.0-M1 and/or 2.0.0-M2-SNAPSHOT in your environment would be
the most helpful.
- You can also see Jira and GitHub pull requests to see if there are open
issues that would matter to you.

> Any official position on the referenced security concern in beanutils
1.9.x-1.10.x, given the current dependency structure?

If by security concern you mean
https://issues.apache.org/jira/browse/BEANUTILS-532, this is addressed in
BU 2.0.0-M1 and cannot be fixed in BU 1 since updating Commons
Collections 3.x to 4.x would break binary compatibility.

HTH,
Gary


On Tue, May 20, 2025 at 10:47 AM Zach Dove  wrote:

> Hello,
>
> I’d like to ask about the plans for an official release of BeanUtils2
> (2.0.0 final). We are tracking this for our migration to Java 21 and
> JasperReports 7.
>
> The milestone releases (2.0.0-M1) are helpful, but is there a timeline or
> roadmap for a stable, non-milestone release?
> I'm referencing from 
> *https://commons.apache.org/proper/commons-beanutils/changes.html
> * .
>
> Mitigation for https://issues.apache.org/jira/browse/BEANUTILS-532 looks
> a release was made through 'melloware' group as a non-Apache alternative to
> swap 2.0.0-M1 to 2.0.0.
> I've followed up with melloware on the issue of
> https://github.com/Jaspersoft/jasperreports/issues/260
>
>
> Currently the lack of a vision for an official final release of BeanUtils2
> remains a concerning blocker for our migration of our software suite from
> Java 11 to Java 21 and a blocker for continuing with Jasper Reports 7.
>
>
> In addition, https://github.com/apache/commons-beanutils/security does
> not contain any disclaimer disregarding a continuous concern within the
> community for "security issue" Cx78f40514-81ff / sonatype-2024-3350 /
> COLLECTIONS-701,  revolving around the concerns of the changes made in
> commons-collections4, 4.2,
>
> Https://github.com/apache/commons-collections/commit/1979a6e31067a18c9ede59ad4518f738512eba82#diff-8e53271d5d8299a76d43b0e3c81740fbe660083ae71c5bf2be63846d52156f23
> 
>
>
> I took the time to look through the dependencies in commons-beanutils,
>  commons-beanutils2, commons-digester, collections 3.2 /
> commons-collections4 and was unable to find SetUniqueList being used
> across these components that directly impacts commons-beanutils
> functionality & security.
>
>
> In short, could you please advise / response on:
> - The expected timeline or requirements for a stable/final BeanUtils2
> 2.0.0 release?
> - Whether there are any remaining blockers or areas where the community
> can assist?
> - Any official position on the referenced security concern in beanutils
> 1.9.x-1.10.x, given the current dependency structure?
>
> Best,
>
> *Zach Dove,*  Software Developer, D2, Store Transactions
> *P* 828.265.2907* | ** www.ecrs.com
> *
>
> *  ** *
>
> * *  * *  *
> *  * *
>
> * *
>
> * *
>
>

Re: [beanutils2] Question about the official final 2.0.0 release timeline

2025-05-20 Thread Melloware Inc 
I guess that is a question for the JasperReports team. 


Melloware
@melloware on GitHub

> On May 20, 2025, at 5:37 PM, Gary Gregory  wrote:
> 
> Creating a PR in JasperReports runs... zero tests?
> 
> Gary
> 
> 
>> On Tue, May 20, 2025 at 4:41 PM Melloware Inc 
>> wrote:
>> 
>> Note I have already submitted a JasperReports PR against BeanUtils 2.0.0-M1
>> months ago but the author doesn't like its an M1.
>> 
>> See: https://github.com/Jaspersoft/jasperreports/pull/488
>> 
>> On Tue, May 20, 2025 at 1:49 PM Gary Gregory 
>> wrote:
>> 
>>> Hi Zach,
>>> 
>>> There is no official or unofficial release date yet because I would like
>> to
>>> get more community feedback before we set the API in stone for 2.0.0.
>>> 
>>> It would be painful if your port from 1.x to 2.x revealed issues
>> requiring
>>> API changes that we couldn't make until 3.x. Would you use 2.0.0-M1 and
>>> report your findings?
>>> 
 blocker for our migration of our software suite from Java 11 to Java 21
>>> 
>>> I'm not sure what this has to do with BU as BU 1.x and 2.x are both
>> tested
>>> against all Java LTS versions: 8, 11, 17, 21 (See GitHub).
>>> 
>>> Issue https://issues.apache.org/jira/browse/BEANUTILS-532 is handled in
>>> 2.0.0-M1.
>>> 
>>> WRT COLLECTIONS-701 (
>>> 
>>> 
>> https://github.com/apache/commons-collections/commit/1979a6e31067a18c9ede59ad4518f738512eba82#diff-8e53271d5d8299a76d43b0e3c81740fbe660083ae71c5bf2be63846d52156f23
>>> ),
>>> this can only happen due to a programming error, and was fixed in 4.3.
>>> 
 The expected timeline or requirements for a stable/final BeanUtils2
>> 2.0.0
>>> release?
>>> 
>>> See above, in brief, please port to 2.0.0-M1.
>>> 
 Whether there are any remaining blockers or areas where the community
>> can
>>> assist?
>>> 
>>> - Testing 2.0.0-M1 and/or 2.0.0-M2-SNAPSHOT in your environment would be
>>> the most helpful.
>>> - You can also see Jira and GitHub pull requests to see if there are open
>>> issues that would matter to you.
>>> 
 Any official position on the referenced security concern in beanutils
>>> 1.9.x-1.10.x, given the current dependency structure?
>>> 
>>> If by security concern you mean
>>> https://issues.apache.org/jira/browse/BEANUTILS-532, this is addressed
>> in
>>> BU 2.0.0-M1 and cannot be fixed in BU 1 since updating Commons
>>> Collections 3.x to 4.x would break binary compatibility.
>>> 
>>> HTH,
>>> Gary
>>> 
>>> 
>>> On Tue, May 20, 2025 at 10:47 AM Zach Dove 
>> wrote:
>>> 
 Hello,
 
 I’d like to ask about the plans for an official release of BeanUtils2
 (2.0.0 final). We are tracking this for our migration to Java 21 and
 JasperReports 7.
 
 The milestone releases (2.0.0-M1) are helpful, but is there a timeline
>> or
 roadmap for a stable, non-milestone release?
 I'm referencing from *
>>> https://commons.apache.org/proper/commons-beanutils/changes.html
 * .
 
 Mitigation for https://issues.apache.org/jira/browse/BEANUTILS-532
>> looks
 a release was made through 'melloware' group as a non-Apache
>> alternative
>>> to
 swap 2.0.0-M1 to 2.0.0.
 I've followed up with melloware on the issue of
 https://github.com/Jaspersoft/jasperreports/issues/260
 
 
 Currently the lack of a vision for an official final release of
>>> BeanUtils2
 remains a concerning blocker for our migration of our software suite
>> from
 Java 11 to Java 21 and a blocker for continuing with Jasper Reports 7.
 
 
 In addition, https://github.com/apache/commons-beanutils/security does
 not contain any disclaimer disregarding a continuous concern within the
 community for "security issue" Cx78f40514-81ff / sonatype-2024-3350 /
 COLLECTIONS-701,  revolving around the concerns of the changes made in
 commons-collections4, 4.2,
 
 
>>> 
>> Https://github.com/apache/commons-collections/commit/1979a6e31067a18c9ede59ad4518f738512eba82#diff-8e53271d5d8299a76d43b0e3c81740fbe660083ae71c5bf2be63846d52156f23
 <
>>> 
>> https://github.com/apache/commons-collections/commit/1979a6e31067a18c9ede59ad4518f738512eba82#diff-8e53271d5d8299a76d43b0e3c81740fbe660083ae71c5bf2be63846d52156f23
 
 
 
 I took the time to look through the dependencies in commons-beanutils,
 commons-beanutils2, commons-digester, collections 3.2 /
 commons-collections4 and was unable to find SetUniqueList being used
 across these components that directly impacts commons-beanutils
 functionality & security.
 
 
 In short, could you please advise / response on:
 - The expected timeline or requirements for a stable/final BeanUtils2
 2.0.0 release?
 - Whether there are any remaining blockers or areas where the community
 can assist?
 - Any official position on the referenced security concern in beanutils
 1.9.x-1.10.x, given the current dependency structure?
 
 Best,

Re: (commons-text) 03/04: Interface TextRandomProvider extends IntUnaryOperator

2025-05-20 Thread Alex Herbert 
This change breaks the code example on how to use the class, see below:

On Tue, 20 May 2025 at 15:51,  wrote:

> This is an automated email from the ASF dual-hosted git repository.
>
> ggregory pushed a commit to branch master
> in repository https://gitbox.apache.org/repos/asf/commons-text.git
>
> commit 98aae9ada74f51b52dbcf41c7ad46452721a6ffe
> Author: Gary Gregory 
> AuthorDate: Tue May 20 10:49:31 2025 -0400
>
> Interface TextRandomProvider extends IntUnaryOperator
> ---
>  src/changes/changes.xml|  1 +
>  .../apache/commons/text/RandomStringGenerator.java |  4 +--
>  .../apache/commons/text/TextRandomProvider.java| 34
> +-
>  3 files changed, 29 insertions(+), 10 deletions(-)
>
> diff --git a/src/changes/changes.xml b/src/changes/changes.xml
> index b5824ded..69c3ce3f 100644
> --- a/src/changes/changes.xml
> +++ b/src/changes/changes.xml
> @@ -49,6 +49,7 @@ The  type attribute can be add,update,fix,remove.
>  
>  
>  Interface
> StringLookup now extends UnaryOperator.
> +Interface
> TextRandomProvider extends IntUnaryOperator.
>  
>  Bump org.apache.commons:commons-parent from 81 to 84 #668.
>  Bump
> commons-io:commons-io from 2.18.0 to 2.19.0.
> diff --git
> a/src/main/java/org/apache/commons/text/RandomStringGenerator.java
> b/src/main/java/org/apache/commons/text/RandomStringGenerator.java
> index df3f3938..4a999649 100644
> --- a/src/main/java/org/apache/commons/text/RandomStringGenerator.java
> +++ b/src/main/java/org/apache/commons/text/RandomStringGenerator.java
> @@ -459,7 +459,7 @@ public final class RandomStringGenerator {
>   */
>  private int generateRandomNumber(final int minInclusive, final int
> maxInclusive) {
>  if (random != null) {
> -return random.nextInt(maxInclusive - minInclusive + 1) +
> minInclusive;
> +return random.applyAsInt(maxInclusive - minInclusive + 1) +
> minInclusive;
>  }
>  return ThreadLocalRandom.current().nextInt(minInclusive,
> maxInclusive + 1);
>  }
> @@ -474,7 +474,7 @@ public final class RandomStringGenerator {
>  private int generateRandomNumber(final List characterList)
> {
>  final int listSize = characterList.size();
>  if (random != null) {
> -return
> String.valueOf(characterList.get(random.nextInt(listSize))).codePointAt(0);
> +return
> String.valueOf(characterList.get(random.applyAsInt(listSize))).codePointAt(0);
>  }
>  return
> String.valueOf(characterList.get(ThreadLocalRandom.current().nextInt(0,
> listSize))).codePointAt(0);
>  }
> diff --git a/src/main/java/org/apache/commons/text/TextRandomProvider.java
> b/src/main/java/org/apache/commons/text/TextRandomProvider.java
> index 0190d9cb..23ba9173 100644
> --- a/src/main/java/org/apache/commons/text/TextRandomProvider.java
> +++ b/src/main/java/org/apache/commons/text/TextRandomProvider.java
> @@ -16,6 +16,8 @@
>   */
>  package org.apache.commons.text;
>
> +import java.util.function.IntUnaryOperator;
> +
>  /**
>   * TextRandomProvider implementations are used by {@link
> RandomStringGenerator}
>   * as a source of randomness.  It is highly recommended that the
> @@ -23,27 +25,43 @@ package org.apache.commons.text;
>   * library be used to provide the random number generation.
>   *
>   * 
> - * When using Java 8 or later, TextRandomProvider is a functional
> interface and
> - * need not be explicitly implemented.  For example:
> + * {@code TextRandomProvider} is a functional interface and need not be
> explicitly implemented.
> + * 
> + * 
> + * For example:
>   * 
>   * 
>   * {@code
>   * UniformRandomProvider rng = RandomSource.create(...);
>   * RandomStringGenerator gen = RandomStringGenerator.builder()
> - * .usingRandom(rng::nextInt)
> + * .usingRandom(rng::applyAsInt)
>

This is not a valid example. The UniformRandomProvider interface does not
have a 'applyAsInt' method, so the code would not compile.



>   * // additional builder calls as needed
>   * .build();
>   * }
>   * 
>   * @since 1.1
>   */
> -public interface TextRandomProvider {
> +public interface TextRandomProvider extends IntUnaryOperator {
> +
> +/**
> + * Generates an int value between 0 (inclusive) and the specified
> value (exclusive).
> + *
> + * @param max Bound on the random number to be returned. Must be
> positive.
> + * @return a random int value between 0 (inclusive) and max
> (exclusive).
> + * @since 1.14.0
> + */
> +@Override
> +default int applyAsInt(final int max) {
> +return nextInt(max);
> +}
>
>  /**
> - * Generates an int value between 0 (inclusive) and the specified
> value
> - * (exclusive).
> - * @param max  Bound on the random number to be returned. Must be
> positive.
> - * @return a random int value between 0 (inclusive) and n (exclusive).
> + * Generates an int value between 0 (inclusive) and

Re: [beanutils2] Question about the official final 2.0.0 release timeline

2025-05-20 Thread Melloware Inc 
Note I have already submitted a JasperReports PR against BeanUtils 2.0.0-M1
months ago but the author doesn't like its an M1.

See: https://github.com/Jaspersoft/jasperreports/pull/488

On Tue, May 20, 2025 at 1:49 PM Gary Gregory  wrote:

> Hi Zach,
>
> There is no official or unofficial release date yet because I would like to
> get more community feedback before we set the API in stone for 2.0.0.
>
> It would be painful if your port from 1.x to 2.x revealed issues requiring
> API changes that we couldn't make until 3.x. Would you use 2.0.0-M1 and
> report your findings?
>
> > blocker for our migration of our software suite from Java 11 to Java 21
>
> I'm not sure what this has to do with BU as BU 1.x and 2.x are both tested
> against all Java LTS versions: 8, 11, 17, 21 (See GitHub).
>
> Issue https://issues.apache.org/jira/browse/BEANUTILS-532 is handled in
> 2.0.0-M1.
>
> WRT COLLECTIONS-701 (
>
> https://github.com/apache/commons-collections/commit/1979a6e31067a18c9ede59ad4518f738512eba82#diff-8e53271d5d8299a76d43b0e3c81740fbe660083ae71c5bf2be63846d52156f23
> ),
> this can only happen due to a programming error, and was fixed in 4.3.
>
> > The expected timeline or requirements for a stable/final BeanUtils2 2.0.0
> release?
>
> See above, in brief, please port to 2.0.0-M1.
>
> > Whether there are any remaining blockers or areas where the community can
> assist?
>
> - Testing 2.0.0-M1 and/or 2.0.0-M2-SNAPSHOT in your environment would be
> the most helpful.
> - You can also see Jira and GitHub pull requests to see if there are open
> issues that would matter to you.
>
> > Any official position on the referenced security concern in beanutils
> 1.9.x-1.10.x, given the current dependency structure?
>
> If by security concern you mean
> https://issues.apache.org/jira/browse/BEANUTILS-532, this is addressed in
> BU 2.0.0-M1 and cannot be fixed in BU 1 since updating Commons
> Collections 3.x to 4.x would break binary compatibility.
>
> HTH,
> Gary
>
>
> On Tue, May 20, 2025 at 10:47 AM Zach Dove  wrote:
>
> > Hello,
> >
> > I’d like to ask about the plans for an official release of BeanUtils2
> > (2.0.0 final). We are tracking this for our migration to Java 21 and
> > JasperReports 7.
> >
> > The milestone releases (2.0.0-M1) are helpful, but is there a timeline or
> > roadmap for a stable, non-milestone release?
> > I'm referencing from *
> https://commons.apache.org/proper/commons-beanutils/changes.html
> > * .
> >
> > Mitigation for https://issues.apache.org/jira/browse/BEANUTILS-532 looks
> > a release was made through 'melloware' group as a non-Apache alternative
> to
> > swap 2.0.0-M1 to 2.0.0.
> > I've followed up with melloware on the issue of
> > https://github.com/Jaspersoft/jasperreports/issues/260
> >
> >
> > Currently the lack of a vision for an official final release of
> BeanUtils2
> > remains a concerning blocker for our migration of our software suite from
> > Java 11 to Java 21 and a blocker for continuing with Jasper Reports 7.
> >
> >
> > In addition, https://github.com/apache/commons-beanutils/security does
> > not contain any disclaimer disregarding a continuous concern within the
> > community for "security issue" Cx78f40514-81ff / sonatype-2024-3350 /
> > COLLECTIONS-701,  revolving around the concerns of the changes made in
> > commons-collections4, 4.2,
> >
> >
> Https://github.com/apache/commons-collections/commit/1979a6e31067a18c9ede59ad4518f738512eba82#diff-8e53271d5d8299a76d43b0e3c81740fbe660083ae71c5bf2be63846d52156f23
> > <
> https://github.com/apache/commons-collections/commit/1979a6e31067a18c9ede59ad4518f738512eba82#diff-8e53271d5d8299a76d43b0e3c81740fbe660083ae71c5bf2be63846d52156f23
> >
> >
> >
> > I took the time to look through the dependencies in commons-beanutils,
> >  commons-beanutils2, commons-digester, collections 3.2 /
> > commons-collections4 and was unable to find SetUniqueList being used
> > across these components that directly impacts commons-beanutils
> > functionality & security.
> >
> >
> > In short, could you please advise / response on:
> > - The expected timeline or requirements for a stable/final BeanUtils2
> > 2.0.0 release?
> > - Whether there are any remaining blockers or areas where the community
> > can assist?
> > - Any official position on the referenced security concern in beanutils
> > 1.9.x-1.10.x, given the current dependency structure?
> >
> > Best,
> >
> > *Zach Dove,*  Software Developer, D2, Store Transactions
> > *P* 828.265.2907* | ** www.ecrs.com
> > *
> >
> > *  **  >*
> >
> > * *  * *  *
> > *  * *
> >
> > * *
> >
> > * *
> >
> >
>


-- 
==
Melloware
melloware...@gmail.c

Re: [beanutils2] Question about the official final 2.0.0 release timeline

2025-05-20 Thread Gary Gregory 
On Tue, May 20, 2025 at 11:24 AM Melloware Inc 
wrote:

> I +1 this vote for an official BeanUtils 2.0.0 release. I am using it in
> Production as M1 for months now without issue.
>

Good to know! TY.

Have you tried a snapshot from git master?

It would be good to know if there are any issues there.

Gary


>
> On Tue, May 20, 2025 at 10:47 AM Zach Dove  wrote:
>
> > Hello,
> >
> > I’d like to ask about the plans for an official release of BeanUtils2
> > (2.0.0 final). We are tracking this for our migration to Java 21 and
> > JasperReports 7.
> >
> > The milestone releases (2.0.0-M1) are helpful, but is there a timeline or
> > roadmap for a stable, non-milestone release?
> > I'm referencing from *
> https://commons.apache.org/proper/commons-beanutils/changes.html
> > * .
> >
> > Mitigation for https://issues.apache.org/jira/browse/BEANUTILS-532 looks
> > a release was made through 'melloware' group as a non-Apache alternative
> to
> > swap 2.0.0-M1 to 2.0.0.
> > I've followed up with melloware on the issue of
> > https://github.com/Jaspersoft/jasperreports/issues/260
> >
> >
> > Currently the lack of a vision for an official final release of
> BeanUtils2
> > remains a concerning blocker for our migration of our software suite from
> > Java 11 to Java 21 and a blocker for continuing with Jasper Reports 7.
> >
> >
> > In addition, https://github.com/apache/commons-beanutils/security does
> > not contain any disclaimer disregarding a continuous concern within the
> > community for "security issue" Cx78f40514-81ff / sonatype-2024-3350 /
> > COLLECTIONS-701,  revolving around the concerns of the changes made in
> > commons-collections4, 4.2,
> >
> >
> Https://github.com/apache/commons-collections/commit/1979a6e31067a18c9ede59ad4518f738512eba82#diff-8e53271d5d8299a76d43b0e3c81740fbe660083ae71c5bf2be63846d52156f23
> > <
> https://github.com/apache/commons-collections/commit/1979a6e31067a18c9ede59ad4518f738512eba82#diff-8e53271d5d8299a76d43b0e3c81740fbe660083ae71c5bf2be63846d52156f23
> >
> >
> >
> > I took the time to look through the dependencies in commons-beanutils,
> >  commons-beanutils2, commons-digester, collections 3.2 /
> > commons-collections4 and was unable to find SetUniqueList being used
> > across these components that directly impacts commons-beanutils
> > functionality & security.
> >
> >
> > In short, could you please advise / response on:
> > - The expected timeline or requirements for a stable/final BeanUtils2
> > 2.0.0 release?
> > - Whether there are any remaining blockers or areas where the community
> > can assist?
> > - Any official position on the referenced security concern in beanutils
> > 1.9.x-1.10.x, given the current dependency structure?
> >
> > Best,
> >
> > *Zach Dove,*  Software Developer, D2, Store Transactions
> > *P* 828.265.2907* | ** www.ecrs.com
> > *
> >
> > *  **  >*
> >
> > * *  * *  *
> > *  * *
> >
> > * *
> >
> > * *
> >
> >
>
> --
> ==
> Melloware
> melloware...@gmail.com
> http://melloware.com
> ==
>

Re: [beanutils2] Question about the official final 2.0.0 release timeline

2025-05-20 Thread Gary Gregory 
Creating a PR in JasperReports runs... zero tests?

Gary


On Tue, May 20, 2025 at 4:41 PM Melloware Inc 
wrote:

> Note I have already submitted a JasperReports PR against BeanUtils 2.0.0-M1
> months ago but the author doesn't like its an M1.
>
> See: https://github.com/Jaspersoft/jasperreports/pull/488
>
> On Tue, May 20, 2025 at 1:49 PM Gary Gregory 
> wrote:
>
> > Hi Zach,
> >
> > There is no official or unofficial release date yet because I would like
> to
> > get more community feedback before we set the API in stone for 2.0.0.
> >
> > It would be painful if your port from 1.x to 2.x revealed issues
> requiring
> > API changes that we couldn't make until 3.x. Would you use 2.0.0-M1 and
> > report your findings?
> >
> > > blocker for our migration of our software suite from Java 11 to Java 21
> >
> > I'm not sure what this has to do with BU as BU 1.x and 2.x are both
> tested
> > against all Java LTS versions: 8, 11, 17, 21 (See GitHub).
> >
> > Issue https://issues.apache.org/jira/browse/BEANUTILS-532 is handled in
> > 2.0.0-M1.
> >
> > WRT COLLECTIONS-701 (
> >
> >
> https://github.com/apache/commons-collections/commit/1979a6e31067a18c9ede59ad4518f738512eba82#diff-8e53271d5d8299a76d43b0e3c81740fbe660083ae71c5bf2be63846d52156f23
> > ),
> > this can only happen due to a programming error, and was fixed in 4.3.
> >
> > > The expected timeline or requirements for a stable/final BeanUtils2
> 2.0.0
> > release?
> >
> > See above, in brief, please port to 2.0.0-M1.
> >
> > > Whether there are any remaining blockers or areas where the community
> can
> > assist?
> >
> > - Testing 2.0.0-M1 and/or 2.0.0-M2-SNAPSHOT in your environment would be
> > the most helpful.
> > - You can also see Jira and GitHub pull requests to see if there are open
> > issues that would matter to you.
> >
> > > Any official position on the referenced security concern in beanutils
> > 1.9.x-1.10.x, given the current dependency structure?
> >
> > If by security concern you mean
> > https://issues.apache.org/jira/browse/BEANUTILS-532, this is addressed
> in
> > BU 2.0.0-M1 and cannot be fixed in BU 1 since updating Commons
> > Collections 3.x to 4.x would break binary compatibility.
> >
> > HTH,
> > Gary
> >
> >
> > On Tue, May 20, 2025 at 10:47 AM Zach Dove 
> wrote:
> >
> > > Hello,
> > >
> > > I’d like to ask about the plans for an official release of BeanUtils2
> > > (2.0.0 final). We are tracking this for our migration to Java 21 and
> > > JasperReports 7.
> > >
> > > The milestone releases (2.0.0-M1) are helpful, but is there a timeline
> or
> > > roadmap for a stable, non-milestone release?
> > > I'm referencing from *
> > https://commons.apache.org/proper/commons-beanutils/changes.html
> > > * .
> > >
> > > Mitigation for https://issues.apache.org/jira/browse/BEANUTILS-532
> looks
> > > a release was made through 'melloware' group as a non-Apache
> alternative
> > to
> > > swap 2.0.0-M1 to 2.0.0.
> > > I've followed up with melloware on the issue of
> > > https://github.com/Jaspersoft/jasperreports/issues/260
> > >
> > >
> > > Currently the lack of a vision for an official final release of
> > BeanUtils2
> > > remains a concerning blocker for our migration of our software suite
> from
> > > Java 11 to Java 21 and a blocker for continuing with Jasper Reports 7.
> > >
> > >
> > > In addition, https://github.com/apache/commons-beanutils/security does
> > > not contain any disclaimer disregarding a continuous concern within the
> > > community for "security issue" Cx78f40514-81ff / sonatype-2024-3350 /
> > > COLLECTIONS-701,  revolving around the concerns of the changes made in
> > > commons-collections4, 4.2,
> > >
> > >
> >
> Https://github.com/apache/commons-collections/commit/1979a6e31067a18c9ede59ad4518f738512eba82#diff-8e53271d5d8299a76d43b0e3c81740fbe660083ae71c5bf2be63846d52156f23
> > > <
> >
> https://github.com/apache/commons-collections/commit/1979a6e31067a18c9ede59ad4518f738512eba82#diff-8e53271d5d8299a76d43b0e3c81740fbe660083ae71c5bf2be63846d52156f23
> > >
> > >
> > >
> > > I took the time to look through the dependencies in commons-beanutils,
> > >  commons-beanutils2, commons-digester, collections 3.2 /
> > > commons-collections4 and was unable to find SetUniqueList being used
> > > across these components that directly impacts commons-beanutils
> > > functionality & security.
> > >
> > >
> > > In short, could you please advise / response on:
> > > - The expected timeline or requirements for a stable/final BeanUtils2
> > > 2.0.0 release?
> > > - Whether there are any remaining blockers or areas where the community
> > > can assist?
> > > - Any official position on the referenced security concern in beanutils
> > > 1.9.x-1.10.x, given the current dependency structure?
> > >
> > > Best,
> > >
> > > *Zach Dove,*  Software Developer, D2, Store Transactions
> > > *P* 828.265.2907* | ** www.ecrs.com
> > > *
> > >
>