Update old dependency on commons-collections

[peterdemaeyer]

gwt-dev has a dependency on commons-collections. Users are thus also forced to transitively pull in that dependency, which is bad for the following reasons:

• The last release was in 2015. Since then, it has been replaces with commons-collections4 and users should migrate.
• Nexus IQ, Sonatype's commercial security scanner, reports a vulnerability sonatype-2024-3350 in that library with CVSS 8.7.

Recommended actions:

• Check if the dependency is needed at all. If not, remove it.
• If it is needed, update to commons-collections4.

[niloc132]

This would definitely be a good idea, but please take notice that neither gwt-dev nor gwt-user are ever intended to be deployed or run on a server, they only exist to compile already-trusted code to JS.

A DoS is possible for sure... but to exploit it on a compiler means that you are building code specifically crafted to ... crash your build process? This should be easy to notice (because your build is crashing), and won't put any code/data/infra/etc at risk.

[peterdemaeyer]

I'm also wondering of the commons-collections dependency is maybe an optional one? If so, consider marking it as such.

[niloc132]

I think you're right - initial testing suggests that we need it for our own tests, and even then only for the compiler's own internal collection impls. I'll put up a PR to try removing this dependency entirely, make sure there's no other downstream code that indirectly requires it.

[peterdemaeyer]

Given your explanation, it feels to me like the dependency deserveq to be there, but that its scope should be demoted to <scope>test</scope>. Additionally, consider updating to commons-collections4 for the compiler's own internal collection impls.

[zbynek]

should be demoted to test

That's what the linked pull request effectively does (since GWT is using Ant rather than Maven for its own build, the library needs to be moved from main to test classpath in Ant scripts + removed from the POM of published artifacts, published artifacts should oly list runtime/compile time dependencies in POM).