Recent changes to feature-requestshttps://sourceforge.net/p/opencsv/feature-requests/2026-02-14T21:15:35.900000ZRecent changes to feature-requests#175 Dependency maven:org.apache.commons:commons-lang3:3.17.0 is vulnerable2026-02-14T21:15:35.900000Z2026-02-14T21:15:35.900000ZScott Conwayhttps://sourceforge.net/u/sconway/https://sourceforge.net3f6eff65bc436b459c2f87737a63e0ba3fd9ad30<div class="markdown_content"><p>Sorry Peter this must be an issue on the build on your project. Because 5.12.0 does use commons-lang3 3.18.0 as you can see from <a href="https://central.sonatype.com/artifact/com.opencsv/opencsv/dependencies." rel="nofollow">https://central.sonatype.com/artifact/com.opencsv/opencsv/dependencies.</a> </p>
<p>If you use maven to build your projects (and I apologize I do not know enough about gradles to know the equivalent off hand) run the following on your project:</p>
<p>mvn dependency:tree</p>
<p>and from what you are telling me it should show 3.17 instead of 3.18. This is because another dependency pulled in 3.17.0 as a transitive dependency. If so then run </p>
<p>mvn dependency:tree -Dverbose </p>
<p>and that will show you which dependency is pulling commons-lang3 3.17.0. </p>
<p>To fix the issue you neeed to add a dependencyManagement section in your pom.xml file. </p>
<div class="codehilite"><pre><span></span><code><span class="w"> </span><span class="nt"><dependencyManagement></span>
<span class="w"> </span><span class="nt"><dependencies></span>
<span class="w"> </span><span class="nt"><dependency></span>
<span class="w"> </span><span class="nt"><groupId></span>org.apache.commons<span class="nt"></groupId></span>
<span class="w"> </span><span class="nt"><artifactId></span>commons-lang3<span class="nt"></artifactId></span>
<span class="w"> </span><span class="nt"><version></span>3.18.0<span class="nt"></version></span>
<span class="w"> </span><span class="nt"></dependency></span>
<span class="w"> </span><span class="nt"></dependencies></span>
<span class="w"> </span><span class="nt"></dependencyManagement></span>
</code></pre></div>
<p>And that is maven's way of saying "I am not telling you to use commons-lang3 but if you do you will use version 3.18.0. </p></div>#175 Dependency maven:org.apache.commons:commons-lang3:3.17.0 is vulnerable2026-02-13T22:20:31.454000Z2026-02-13T22:20:31.454000ZPeter Penzovhttps://sourceforge.net/u/peterpenzov/https://sourceforge.net9eccda9cf6a12e10a8a336c8e4a436c06c77066c<div class="markdown_content"><p>I use com.opencsv:opencsv:5.12.0</p>
<p>In Intellij I see this warning:</p>
<div class="codehilite"><pre><span></span><code>Dependency maven:org.apache.commons:commons-lang3:3.17.0 is vulnerable
Update to unaffected version 3.18.0
CVE-2025-48924, Score: 5.3
Uncontrolled Recursion vulnerability in Apache Commons Lang.
This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.
The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a
StackOverflowError could cause an application to stop.
Users are recommended to upgrade to version 3.18.0, which fixes the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Read More: https://www.mend.io/vulnerability-database/CVE-2025-48924?utm_source=Jetbrains
Results powered by Mend.io
</code></pre></div>
</div>#175 Dependency maven:org.apache.commons:commons-lang3:3.17.0 is vulnerable2026-02-13T16:17:58.542000Z2026-02-13T16:17:58.542000ZScott Conwayhttps://sourceforge.net/u/sconway/https://sourceforge.net8212f9b8c5f4716fa2bdde2fd57ccb101f2abe71<div class="markdown_content"><p>Hello Peter</p>
<p>What version opencsv are you using? The latest release version 5.12.0 uses 3.18.0 </p>
<p><a href="https://central.sonatype.com/artifact/com.opencsv/opencsv/dependencies" rel="nofollow">https://central.sonatype.com/artifact/com.opencsv/opencsv/dependencies</a></p>
<p>Please let me know if there are any issues with that version of commons-lang3. If so the current snapshot version uses 3.20.0 but have not released it yet because all it has is dependency updates. </p></div>Dependency maven:org.apache.commons:commons-lang3:3.17.0 is vulnerable2026-02-13T15:32:50.708000Z2026-02-13T15:32:50.708000ZPeter Penzovhttps://sourceforge.net/u/peterpenzov/https://sourceforge.net73a3582ec793d37f12d4310e1eea924caddd6403<div class="markdown_content"><p>In version com.opencsv:opencsv:5.12.0 there is dependency:</p>
<p>Dependency maven:org.apache.commons:commons-lang3:3.17.0 is vulnerable</p>
<p>I get warning CVE-2025-48924<br/>
5.3<br/>
Transitive Insufficient Information</p>
<p>Any plans to update library version?</p></div>#170 commons-collections transitive dependency in opencsv:5.102026-01-12T16:29:04.058000Z2026-01-12T16:29:04.058000ZPeter Schulerhttps://sourceforge.net/u/pschuler/https://sourceforge.net009163ba5869ad925efc62d0333e9b2901fd4c9c<div class="markdown_content"><p>We really need a version that does not have this end of life version of commons-collections.</p></div>#174 Upgrade to commons-text 1.15.02025-12-26T22:04:01.475000Z2025-12-26T22:04:01.475000ZScott Conwayhttps://sourceforge.net/u/sconway/https://sourceforge.net3d4eedce0186344c24c99b700c0c725e46c371ce<div class="markdown_content"><ul>
<li><strong>status</strong>: open --> accepted</li>
<li><strong>assigned_to</strong>: Scott Conway</li>
</ul></div>Upgrade to commons-text 1.15.02025-12-25T11:39:37.205000Z2025-12-25T11:39:37.205000ZAdrianhttps://sourceforge.net/u/adriansun299/https://sourceforge.netecfd922698dbdad29b0477b46aecff7ceafaeed1<div class="markdown_content"><p>Using Liquibase in Spring Boot and can see that I have one conflict. Spring boot starter liquibase 4.0.1 use spring boot liquibase that use liquibase-core 5.0.1 that use opencsv 5.12.0. OpenCSV 5.12.0 has commons-text 1.13.1 which conflicts with 1.14.0 that is from another package. I can see that 1.15.0 is out. Could be good to upgrade to something more modern. Marry Christmas and take care.</p></div>Upgrade to commons-text 1.15.02025-12-25T11:39:37.205000Z2025-12-25T11:39:37.205000ZAdrianhttps://sourceforge.net/u/adriansun299/https://sourceforge.netd9ec7962ff218456a0e3ca021fb7b83de1053d84<div class="markdown_content"><p>Ticket 174 has been modified: Upgrade to commons-text 1.15.0<br/>
Edited By: Scott Conway (sconway)<br/>
Status updated: 'open' => 'accepted'<br/>
Owner updated: None => 'sconway'</p></div>Quotation for numbers and booleans2025-12-03T11:39:50.789000Z2025-12-03T11:39:50.789000ZDaniel Dimovhttps://sourceforge.net/u/danieldimov/https://sourceforge.neta244544bac72498cb6327325f377c40a144f2eb6<div class="markdown_content"><p>Hi there,</p>
<p>I'm trying to make the StatefulBeanToCsvBuilder to write useful CSV files and my trouble is that either all fields are quoted, either they are all not quoted.</p>
<p>It would be good to create a new filed in StatefulBeanToCsvBuilder called for example "applyQuotesToStrings" (false by default)... If we set this field to true - the quotes to be applied only to String fields, but numbers and booleans to remain unquoted.</p>
<p>If there is some way I can contribute for this new feature - I will do it quickly.</p>
<p>Thanks<br/>
Daniel</p></div>#158 CsvBindByName capitalizes headers when writing2025-11-30T03:48:11.187000Z2025-11-30T03:48:11.187000ZScott Conwayhttps://sourceforge.net/u/sconway/https://sourceforge.netb5e213e03f2cf07717cdb5faab67ba8fff758b67<div class="markdown_content"><ul>
<li><strong>status</strong>: open --> closed</li>
</ul></div>