chore: bump parent v50 -> v51 and migrate commons-lang -> commons-lang3#111
Merged
bjagg merged 2 commits intoMay 3, 2026
Merged
Conversation
uportal-portlet-parent:51 closes CVE-2025-48924 by replacing commons-lang 2.6 (EOL, no upstream fix) with commons-lang3 3.20.0 + commons-text 1.15.0. Parent v51 dropped legacy commons-lang from dependencyManagement, so this repo's submodule poms and Java source must move to commons-lang3 to keep compilation working. Changes: - pom.xml (root): <parent><version>50</version></> -> 51. - courses-portlet-api/pom.xml, courses-portlet-webapp/pom.xml: swap commons-lang dep declarations for commons-lang3. - src: rename imports across the 4 files using lang APIs: org.apache.commons.lang.* -> org.apache.commons.lang3.* (StringUtils, RandomStringUtils, builder.ToStringBuilder, builder.ToStringStyle). lang3 is API-compatible for these.
Problem: NOTICE was generated against the parent v50 dep tree (legacy commons-lang). After the parent v50 -> v51 bump and the commons-lang -> commons-lang3 swap, `mvn notice:check` flagged drift. Goal: align NOTICE with the actual deployed dep tree so notice:check passes during release:prepare. Changes: - regenerate NOTICE via `mvn notice:generate` against current deps; picks up Apache Commons Lang (lang3), Apache Commons Compress, Esbuild wrapper, Hibernate Core (was missing), Java Servlet API, Java Transaction API, AntLR, dom4j; drops Commons Logging shim that was removed transitively.
3 tasks
bjagg
added a commit
that referenced
this pull request
May 3, 2026
…112) Problem: #111 regenerated the root NOTICE for the parent v51 + commons-lang -> commons-lang3 work but missed the per-submodule NOTICE files. Running `mvn notice:check` on master fails on courses-portlet-api with 'Existing NOTICE file ... doesn't match expected NOTICE file', which would block `mvn release:prepare` for 2.1.1. Goal: bring every reactor module's NOTICE in sync with its actual dep tree so notice:check passes across the full reactor. Changes: - courses-portlet-api/NOTICE, courses-portlet-dao/NOTICE, courses-portlet-webapp/NOTICE: regenerated via `mvn notice:generate` to pick up the post-v51 license metadata (Apache Commons Lang under Apache-2.0; Joda-Time / SLF4J license-name normalization). - Verified `mvn notice:check` is now green on all four reactor modules (root + 3 submodules).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Release-prep PR for CoursesPortlet 2.1.1, aligning with the fleet-wide v51 + lang3 wave.
Supersedes #110 (which was the bare parent bump from Renovate, but would have failed CI without the source migration).
Summary
Two commits, both keep master green:
commons-langfromdependencyManagement(CVE-2025-48924 close-out). This repo declarescommons-langdirectly in two submodule poms (courses-portlet-api,courses-portlet-webapp) and uses it from 4 source files (StudentCourseRegistration,SecureRequestCredentials,CourseSectionMeetingWrapper,DegreeProgressController). All three needed updating. lang3 is API-compatible for the StringUtils, RandomStringUtils, builder.ToStringBuilder, builder.ToStringStyle classes used here.The earlier v49 -> v50 bump (CVE-2023-37460 plexus-archiver) shipped via #109 and is the merge base here.
Deferred
spring-ws-securityv5 major bump) and fix(deps): update jaxb2basics.version (major) #107 (jaxb2basicsmajor bump) are intentionally left open — both are major version jumps that need separate review and are not blockers for 2.1.1.Test plan
mvn -B clean installpasses locally on Java 11 (4-module reactor green)mvn notice:checkpassesmvn license:checkpassesmvn release:clean release:prepare release:performfor 2.1.1