Migration javax -> jakarta if anyone need it

ESAPI / esapi-java-legacy

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications.

https://owasp.org/www-project-enterprise-security-api/

Other

598 stars 363 forks source link

Migration javax -> jakarta if anyone need it #787

Closed rjunqueira closed 1 year ago

rjunqueira commented 1 year ago

Can help someone

kwwall commented 1 year ago

If you wish to fork ESAPI and support a esapi-jakarta version, then go for it, but the ESAPI team does not have enough resources to support both javax.servlet andjakarta.servlet namespaces.

We have discussed this at length at https://github.com/ESAPI/esapi-java-legacy/discussions/768, but simply abandoning all current clients using ESAPI is not something that we are ready to do.

Therefore, I am rejecting this PR for the reasons mentioned above. (Now if you can automate this so that 2 versions are supported via Maven so we don't have twice the ongoing support effort, we are certainly willing to do that.)

rjunqueira commented 1 year ago

Hello,

Yes i have read your "big issue". Currently i'll maintain my fork (doing periodic refresh) until i find some time to automatize this think as you want (maybe using github scripts/features instead of maven ... avoiding nightmare)

KatrukOV commented 1 year ago

@rjunqueira Could you explain please, where you got this dependency from?

<groupId>org.apache.commons</groupId>
<artifactId>commons-fileupload2</artifactId>
<version>2.0-SNAPSHOT</version>

rjunqueira commented 1 year ago

@KatrukOV

Sorry i have forget to include that : `

apache.snapshots Apache Development Snapshot Repository https://repository.apache.org/content/repositories/snapshots/ false true

So it's here : https://repository.apache.org/content/repositories/snapshots/org/apache/commons/commons-fileupload2/

kwwall commented 1 year ago

@KatrukOV - Not that it matters all that much to me, after all, it's your own fork and all, but as a developer, I never want to have a dependency depend on 'snapshots' of anything. That's fine if you want to live on the bleeding edge, but not of you want to provide something that is will be used by enterprise production-ready software. If it were an emergency patch release and that were the only workaround, then perhaps that would be fine as a temporary thing, but long term, I would be cautious using any library that would even rely on a RC (release candidate) much less a SNAPSHOT version.

rjunqueira commented 1 year ago

@KatrukOV it's ok as we have fixed a specific snapshot version for us to avoid surprises .

But the only changes of this version 2.0 is the split to supports javax and jakarta (and it will be API compatible). It's near to be released since months (and now their are continuing moving and modifying poms and md files)

cf https://github.com/apache/commons-fileupload

kwwall commented 1 year ago

Sounds like the 2.0-SNAPSHOT is only a temporary thing after which you'll start using a stable release, so it's probably not a problem, although I probably would at least note that as a comment in your pom.xml.

KatrukOV commented 1 year ago

I think one also needs to change to the new version. In my case, I deactivated some plugins and reports, and this is enough for testing ESAPI with jakarta. Thanks for the opportunity to try this with jakarta.