Closed rjunqueira closed 1 year ago
If you wish to fork ESAPI and support a esapi-jakarta version, then go for it, but the ESAPI team does not have enough resources to support both javax.servlet
andjakarta.servlet
namespaces.
We have discussed this at length at https://github.com/ESAPI/esapi-java-legacy/discussions/768, but simply abandoning all current clients using ESAPI is not something that we are ready to do.
Therefore, I am rejecting this PR for the reasons mentioned above. (Now if you can automate this so that 2 versions are supported via Maven so we don't have twice the ongoing support effort, we are certainly willing to do that.)
Hello,
Yes i have read your "big issue". Currently i'll maintain my fork (doing periodic refresh) until i find some time to automatize this think as you want (maybe using github scripts/features instead of maven ... avoiding nightmare)
@rjunqueira Could you explain please, where you got this dependency from?
<groupId>org.apache.commons</groupId>
<artifactId>commons-fileupload2</artifactId>
<version>2.0-SNAPSHOT</version>
@KatrukOV
Sorry i have forget to include that : `
`
So it's here : https://repository.apache.org/content/repositories/snapshots/org/apache/commons/commons-fileupload2/
@KatrukOV - Not that it matters all that much to me, after all, it's your own fork and all, but as a developer, I never want to have a dependency depend on 'snapshots' of anything. That's fine if you want to live on the bleeding edge, but not of you want to provide something that is will be used by enterprise production-ready software. If it were an emergency patch release and that were the only workaround, then perhaps that would be fine as a temporary thing, but long term, I would be cautious using any library that would even rely on a RC (release candidate) much less a SNAPSHOT version.
@KatrukOV it's ok as we have fixed a specific snapshot version for us to avoid surprises .
But the only changes of this version 2.0 is the split to supports javax and jakarta (and it will be API compatible). It's near to be released since months (and now their are continuing moving and modifying poms and md files)
Sounds like the 2.0-SNAPSHOT is only a temporary thing after which you'll start using a stable release, so it's probably not a problem, although I probably would at least note that as a comment in your pom.xml.
I think one also needs to change
Can help someone