I'm looking for a way to transition from Commons Lang 2 to Commons Lang 3 due to multiple CVEs in the older version that's still lingering in our company's product. We've managed to address the direct dependencies without too much trouble, but we're facing a bigger challenge with the transitive dependencies, which could mean a lot of other complex upgrades. Ideally, I'm hoping to find some kind of shim library that replicates the Commons Lang 2 APIs but runs on Commons Lang 3. This would help us completely remove Commons Lang 2 while minimizing the upheaval in our codebase. I know we should eventually move away from Commons Lang 2, but we're also balancing that against our current time constraints and team demands.
2 Answers
I’m not aware of any shim library specifically, but there’s an open rewrite recipe you could use to handle a migration: https://docs.openrewrite.org/recipes/apache/commons/lang/upgradeapachecommonslang_2_3. It could help clean up some of your own source code without directly addressing the dependency issue, though...
It’s surprising how often this comes up in companies that aren't on top of their dependencies. Commons Lang 2 hasn't seen an update since January 2011! If CVEs are a concern, keeping your code base updated should be just as important. This feels like more of a management issue as well since it sounds like there's a larger problem at play here than just a single library.
That's useful for your own code, but what you're really battling is those existing dependencies that still need the old version, right?