[JENKINS-72981] Remove Commons Lang 2 from core #16404
Description
As of GHSA-j288-q9x7-2f5v core is shipping an old library with an unresolved security vulnerability. It would be ideal if this could be removed from Jenkins core, but before that can happen:
- Jenkins core itself needs to stop consuming it, including our fork of Json-Lib
- Jenkins plugins need to stop consuming it, by migrating either to plain Java Platform functionality or to the Commons Lang 3 Jenkins library plugin
See #8996 (comment) for further discussion.
Originally reported by bobdu, imported from: Remove Commons Lang 2 from core
- status: Open
- priority: Major
- component(s): core
- resolution: Unresolved
- votes: 0
- watchers: 2
- imported: 2025-11-24
Raw content of original issue
As of GHSA-j288-q9x7-2f5v core is shipping an old library with an unresolved security vulnerability. It would be ideal if this could be removed from Jenkins core, but before that can happen:
- Jenkins core itself needs to stop consuming it, including our fork of Json-Lib
- Jenkins plugins need to stop consuming it, by migrating either to plain Java Platform functionality or to the Commons Lang 3 Jenkins library plugin
See #8996 (comment) for further discussion.