From 0f2fffa930fb53eb8c620960379ed787acbfc154 Mon Sep 17 00:00:00 2001
From: Zach Chuba <zachary.chuba@fiserv.com>
Date: Tue, 30 Sep 2025 10:11:26 -0400
Subject: [PATCH 1/2] Remove commons-collections:commons-collections references
 from sourcecode.

Replacing with org.apache.commons:commons-collections4. This ensures the outdated dependency is not used by pulsar code, but does not strip commons-collections from transitive dependencies. Initially aimed at addressing a CVE bundled with commons-collections, but does not clear commons-collections from the classpath.
---
 .../org/apache/bookkeeper/mledger/impl/ManagedCursorTest.java   | 2 +-
 pulsar-client-admin-shaded/pom.xml                              | 2 +-
 pulsar-client-all/pom.xml                                       | 2 +-
 pulsar-client-shaded/pom.xml                                    | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/managed-ledger/src/test/java/org/apache/bookkeeper/mledger/impl/ManagedCursorTest.java b/managed-ledger/src/test/java/org/apache/bookkeeper/mledger/impl/ManagedCursorTest.java
index e5ce27c488f95..9cd597904fcdb 100644
--- a/managed-ledger/src/test/java/org/apache/bookkeeper/mledger/impl/ManagedCursorTest.java
+++ b/managed-ledger/src/test/java/org/apache/bookkeeper/mledger/impl/ManagedCursorTest.java
@@ -112,7 +112,7 @@
 import org.apache.bookkeeper.mledger.proto.MLDataFormats.PositionInfo;
 import org.apache.bookkeeper.mledger.util.ManagedLedgerUtils;
 import org.apache.bookkeeper.test.MockedBookKeeperTestCase;
-import org.apache.commons.collections.iterators.EmptyIterator;
+import org.apache.commons.collections4.iterators.EmptyIterator;
 import org.apache.commons.lang3.mutable.MutableBoolean;
 import org.apache.pulsar.common.api.proto.CommandSubscribe;
 import org.apache.pulsar.common.api.proto.IntRange;
diff --git a/pulsar-client-admin-shaded/pom.xml b/pulsar-client-admin-shaded/pom.xml
index 76def0387771c..c9b900aefb303 100644
--- a/pulsar-client-admin-shaded/pom.xml
+++ b/pulsar-client-admin-shaded/pom.xml
@@ -128,7 +128,7 @@
                   <include>com.yahoo.datasketches:sketches-core</include>
                   <include>commons-*:*</include>
                   <include>commons-codec:commons-codec</include>
-                  <include>commons-collections:commons-collections</include>
+                  <include>org.apache.commons:commons-collections4</include>
                   <include>io.airlift:*</include>
                   <include>io.grpc:*</include>
                   <include>io.netty.incubator:*</include>
diff --git a/pulsar-client-all/pom.xml b/pulsar-client-all/pom.xml
index d0cbb7b70f4c5..7ef38d3cdd96a 100644
--- a/pulsar-client-all/pom.xml
+++ b/pulsar-client-all/pom.xml
@@ -171,7 +171,7 @@
                   <include>com.yahoo.datasketches:sketches-core</include>
                   <include>commons-*:*</include>
                   <include>commons-codec:commons-codec</include>
-                  <include>commons-collections:commons-collections</include>
+                  <include>org.apache.commons:commons-collections4</include>
                   <include>io.airlift:*</include>
                   <include>io.grpc:*</include>
                   <include>io.netty.incubator:*</include>
diff --git a/pulsar-client-shaded/pom.xml b/pulsar-client-shaded/pom.xml
index 32bf4f32313bd..96317fac87f7b 100644
--- a/pulsar-client-shaded/pom.xml
+++ b/pulsar-client-shaded/pom.xml
@@ -145,7 +145,7 @@
                   <include>com.yahoo.datasketches:sketches-core</include>
                   <include>commons-*:*</include>
                   <include>commons-codec:commons-codec</include>
-                  <include>commons-collections:commons-collections</include>
+                  <include>org.apache.commons:commons-collections4</include>
                   <include>io.airlift:*</include>
                   <include>io.netty.incubator:*</include>
                   <include>io.netty:*</include>

From 77e563c961f55d6d4f23a9c56ebdadf2b35767bd Mon Sep 17 00:00:00 2001
From: Zach Chuba <zachary.chuba@fiserv.com>
Date: Tue, 7 Oct 2025 08:03:28 -0400
Subject: [PATCH 2/2] Unshade bookkeeper from pulsar-client jars

To clear jar scans and remove a transitive dependency for these artifacts: commons-collections base version
---
 pulsar-client-admin-shaded/pom.xml | 2 --
 pulsar-client-all/pom.xml          | 2 --
 pulsar-client-shaded/pom.xml       | 2 --
 3 files changed, 6 deletions(-)

diff --git a/pulsar-client-admin-shaded/pom.xml b/pulsar-client-admin-shaded/pom.xml
index c9b900aefb303..f0fea81c6d957 100644
--- a/pulsar-client-admin-shaded/pom.xml
+++ b/pulsar-client-admin-shaded/pom.xml
@@ -128,7 +128,6 @@
                   <include>com.yahoo.datasketches:sketches-core</include>
                   <include>commons-*:*</include>
                   <include>commons-codec:commons-codec</include>
-                  <include>org.apache.commons:commons-collections4</include>
                   <include>io.airlift:*</include>
                   <include>io.grpc:*</include>
                   <include>io.netty.incubator:*</include>
@@ -143,7 +142,6 @@
                   <include>javax.ws.rs:*</include>
                   <include>javax.xml.bind:jaxb-api</include>
                   <include>net.jcip:jcip-annotations</include>
-                  <include>org.apache.bookkeeper:*</include>
                   <include>org.apache.commons:commons-compress</include>
                   <include>org.apache.commons:commons-lang3</include>
                   <include>org.apache.pulsar:pulsar-client-admin-original</include>
diff --git a/pulsar-client-all/pom.xml b/pulsar-client-all/pom.xml
index 7ef38d3cdd96a..848f28b517a4f 100644
--- a/pulsar-client-all/pom.xml
+++ b/pulsar-client-all/pom.xml
@@ -171,7 +171,6 @@
                   <include>com.yahoo.datasketches:sketches-core</include>
                   <include>commons-*:*</include>
                   <include>commons-codec:commons-codec</include>
-                  <include>org.apache.commons:commons-collections4</include>
                   <include>io.airlift:*</include>
                   <include>io.grpc:*</include>
                   <include>io.netty.incubator:*</include>
@@ -192,7 +191,6 @@
                   <include>javax.xml.bind:jaxb-api</include>
                   <include>net.jcip:jcip-annotations</include>
                   <include>org.apache.avro:*</include>
-                  <include>org.apache.bookkeeper:*</include>
                   <include>org.apache.commons:commons-compress</include>
                   <include>org.apache.commons:commons-lang3</include>
                   <include>org.apache.pulsar:pulsar-client-admin-original</include>
diff --git a/pulsar-client-shaded/pom.xml b/pulsar-client-shaded/pom.xml
index 96317fac87f7b..f1b6e2028a5aa 100644
--- a/pulsar-client-shaded/pom.xml
+++ b/pulsar-client-shaded/pom.xml
@@ -145,7 +145,6 @@
                   <include>com.yahoo.datasketches:sketches-core</include>
                   <include>commons-*:*</include>
                   <include>commons-codec:commons-codec</include>
-                  <include>org.apache.commons:commons-collections4</include>
                   <include>io.airlift:*</include>
                   <include>io.netty.incubator:*</include>
                   <include>io.netty:*</include>
@@ -160,7 +159,6 @@
                   <include>javax.ws.rs:*</include>
                   <include>net.jcip:jcip-annotations</include>
                   <include>org.apache.avro:*</include>
-                  <include>org.apache.bookkeeper:*</include>
                   <include>org.apache.commons:commons-compress</include>
                   <include>org.apache.commons:commons-lang3</include>
                   <!-- Issue #6834, Since Netty ByteBuf shaded, we need also shade this module -->