Skip to content

[SCA] Security upgrade @commons-collections:commons-collections from 3.1 to 3.2.2 #179

Open
gwnlng wants to merge 1 commit into
mainfrom
snyk-upgrade-d91055af0825207a704b9a48752b654a
Open

[SCA] Security upgrade @commons-collections:commons-collections from 3.1 to 3.2.2 #179
gwnlng wants to merge 1 commit into
mainfrom
snyk-upgrade-d91055af0825207a704b9a48752b654a

Conversation

@gwnlng
Copy link
Copy Markdown
Owner

@gwnlng gwnlng commented Apr 27, 2026

snyk-top-banner

This is a PR from Snyk, initiated by the Security team, to fix 3 vulnerabilities in the dependencies of this project.

Snyk changed the following file(s):

  • log4shell-goof/log4shell-server/pom.xml

Important

  • This PR was automatically generated by our security tool to help you fix known vulnerabilities in your project's third-party libraries more efficiently. However, there is a possibility that these changes could introduce functional regressions or breakages. Please ensure you test this PR thoroughly before merging.
  • If you have any questions or concerns, please seek support in the #sca-support Slack channel.

References:

  1. Latest project report in Snyk
  2. How to access Snyk via SSO?
  3. Snyk knowledge base

@snyk-bot
fix: upgrade commons-collections:commons-collections from 3.1 to 3.2.2
e4ed66b 
Snyk has created this PR to upgrade commons-collections:commons-collections from 3.1 to 3.2.2.

See this package in maven:
commons-collections:commons-collections

See this project in Snyk:
https://app.snyk.io/org/gwunleong.lee/project/7b9f70d3-b8b5-4067-ae7e-7580f10d43c1?utm_source=github&utm_medium=referral&page=upgrade-pr
@gwnlng
Copy link
Copy Markdown
Owner Author

gwnlng commented Apr 27, 2026

Merge Risk: Medium

This upgrade from version 3.1 to 3.2.2 includes bug fixes and a critical security patch. While version 3.2 was documented as being fully binary compatible with 3.1, version 3.2.2 introduces a behavioral change that could impact specific use cases. [4]

Key Change:

  • Security Fix (Behavioral Change): To mitigate a remote code execution vulnerability, version 3.2.2 disables the serialization of unsafe classes within the functor package by default. [1, 2, 5] Attempts to serialize or deserialize these specific classes (like InvokerTransformer) will now throw an exception where they previously did not. [5, 7]

Deprecations:

  • Version 3.2 deprecated BeanMap and MultiHashMap, noting they would be removed in version 4.0. This is not a breaking change for the 3.x version line. [4]

Recommendation:
This is a MEDIUM risk upgrade. While most applications will be unaffected, you must verify that your application does not rely on serializing or deserializing objects from the org.apache.commons.collections.functor package. If it does, you may need to enable the old behavior via a system property, though this is not recommended due to security implications. [1]

Source: Apache Commons Collections Release Notes

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

@gwnlng
Copy link
Copy Markdown
Owner Author

gwnlng commented Apr 27, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gwnlng @snyk-bot