Recent changes to feature-requests

#175 Dependency maven:org.apache.commons:commons-lang3:3.17.0 is vulnerable

Scott Conway — Sat, 14 Feb 2026 21:15:35 -0000

Sorry Peter this must be an issue on the build on your project. Because 5.12.0 does use commons-lang3 3.18.0 as you can see from https://central.sonatype.com/artifact/com.opencsv/opencsv/dependencies.

If you use maven to build your projects (and I apologize I do not know enough about gradles to know the equivalent off hand) run the following on your project:

mvn dependency:tree

and from what you are telling me it should show 3.17 instead of 3.18. This is because another dependency pulled in 3.17.0 as a transitive dependency. If so then run

mvn dependency:tree -Dverbose

and that will show you which dependency is pulling commons-lang3 3.17.0.

To fix the issue you neeed to add a dependencyManagement section in your pom.xml file.

    <dependencyManagement>
        <dependencies>
             <dependency>
                 <groupId>org.apache.commons</groupId>
                 <artifactId>commons-lang3</artifactId>
                 <version>3.18.0</version>
              </dependency>
            </dependencies>
    </dependencyManagement>

And that is maven's way of saying "I am not telling you to use commons-lang3 but if you do you will use version 3.18.0.

#175 Dependency maven:org.apache.commons:commons-lang3:3.17.0 is vulnerable

Peter Penzov — Fri, 13 Feb 2026 22:20:31 -0000

I use com.opencsv:opencsv:5.12.0

In Intellij I see this warning:

Dependency maven:org.apache.commons:commons-lang3:3.17.0 is vulnerable

Update to unaffected version 3.18.0

CVE-2025-48924,  Score: 5.3

Uncontrolled Recursion vulnerability in Apache Commons Lang.
This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.
The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a
StackOverflowError could cause an application to stop.
Users are recommended to upgrade to version 3.18.0, which fixes the issue.
 Mend Note: The description of this vulnerability differs from MITRE.

Read More: https://www.mend.io/vulnerability-database/CVE-2025-48924?utm_source=Jetbrains

Results powered by Mend.io

#175 Dependency maven:org.apache.commons:commons-lang3:3.17.0 is vulnerable

Scott Conway — Fri, 13 Feb 2026 16:17:58 -0000

Hello Peter

What version opencsv are you using? The latest release version 5.12.0 uses 3.18.0

https://central.sonatype.com/artifact/com.opencsv/opencsv/dependencies

Please let me know if there are any issues with that version of commons-lang3. If so the current snapshot version uses 3.20.0 but have not released it yet because all it has is dependency updates.

Dependency maven:org.apache.commons:commons-lang3:3.17.0 is vulnerable

Peter Penzov — Fri, 13 Feb 2026 15:32:50 -0000

In version com.opencsv:opencsv:5.12.0 there is dependency:

Dependency maven:org.apache.commons:commons-lang3:3.17.0 is vulnerable

I get warning CVE-2025-48924
5.3
Transitive Insufficient Information

Any plans to update library version?

#170 commons-collections transitive dependency in opencsv:5.10

Peter Schuler — Mon, 12 Jan 2026 16:29:04 -0000

We really need a version that does not have this end of life version of commons-collections.

#174 Upgrade to commons-text 1.15.0

Scott Conway — Fri, 26 Dec 2025 22:04:01 -0000

status: open --> accepted
assigned_to: Scott Conway

Upgrade to commons-text 1.15.0

Adrian — Thu, 25 Dec 2025 11:39:37 -0000

Using Liquibase in Spring Boot and can see that I have one conflict. Spring boot starter liquibase 4.0.1 use spring boot liquibase that use liquibase-core 5.0.1 that use opencsv 5.12.0. OpenCSV 5.12.0 has commons-text 1.13.1 which conflicts with 1.14.0 that is from another package. I can see that 1.15.0 is out. Could be good to upgrade to something more modern. Marry Christmas and take care.

Upgrade to commons-text 1.15.0

Adrian — Thu, 25 Dec 2025 11:39:37 -0000

Ticket 174 has been modified: Upgrade to commons-text 1.15.0
Edited By: Scott Conway (sconway)
Status updated: 'open' => 'accepted'
Owner updated: None => 'sconway'

Quotation for numbers and booleans

Daniel Dimov — Wed, 03 Dec 2025 11:39:50 -0000

Hi there,

I'm trying to make the StatefulBeanToCsvBuilder to write useful CSV files and my trouble is that either all fields are quoted, either they are all not quoted.

It would be good to create a new filed in StatefulBeanToCsvBuilder called for example "applyQuotesToStrings" (false by default)... If we set this field to true - the quotes to be applied only to String fields, but numbers and booleans to remain unquoted.

If there is some way I can contribute for this new feature - I will do it quickly.

Thanks
Daniel

#158 CsvBindByName capitalizes headers when writing

Scott Conway — Sun, 30 Nov 2025 03:48:11 -0000

status: open --> closed