[Feature]: Drop commons-lang3 dependency and replace its usages with core Java #5011
Description
Feature Description
It would be great if swagger-core would not depend on commons-lang3.
Use Case
Currently swagger-core uses only a few classes from commons-lang3, and it would probably be worth dropping the dependency for the following reasons:
- Better security. commons-* follows "all features in a single jar" pattern, so a CVE in one of the classes would impact swagger-core
- Fewer bytes to ship with binary distribution for the end-users: commons-lang3 is ~690K
I have raised a suggestion to make commons-lang3 modular and extract modules like commons-stringutils, commons-arrayutils, however, Commons team does not seem to like the idea.
Commons PMC members often suggest that users should clone the code or shade commons-lang, see
- https://lists.apache.org/thread/xzdhv57o9rnxtzn5fqbtkzj0hdkbm339
- https://lists.apache.org/thread/9g1opd6l44dmck00b8gwg5qf1srngybl
Suggested Solution (optional)
Use modern Java approaches and remove the use of commons-lang completely.
Alternatives Considered
Ship a micro-module library to replace commons-lang3.
Additional Context
- https://lists.apache.org/thread/xzdhv57o9rnxtzn5fqbtkzj0hdkbm339
- https://lists.apache.org/thread/9g1opd6l44dmck00b8gwg5qf1srngybl
- Drop commons-lang3 dependency and replace its usages with core Java gradle/gradle#35536
- SOLR-16736: drop commons-lang3 dependency apache/solr#3823
- https://issues.apache.org/jira/browse/CALCITE-7259
Checklist
- I have searched the existing issues to ensure this is not a duplicate.
- This feature would be useful to more than just my use case.
- I have provided enough detail for the maintainers to understand the scope of the request.