Sourced from org.owasp.esapi:esapi's releases.

esapi-2.6.2.0

Full Release Notes

Release notes for ESAPI release 2.6.2.0 are located at:

• https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.6.2.0-release-notes.txt

What's Changed

• This is a minor patch release with the intent of updating the Apache Commons BeanUtils dependency from v1.9.4 to v1.11.0 to CVE-2025-48734.

Full Changelog: https://github.com/ESAPI/esapi-java-legacy/compare/esapi-2.6.1.0...esapi-2.6.2.0

Other Notes

You may see GHAS Dependabot references to https://github.com/ESAPI/esapi-java-legacy/security/dependabot/17 for this (and previous releases). For a more thorough discussion of this, please see Discussion #877.

Configuration Jar

Note the associated file "esapi-2.6.2.0-configuration.jar" contains the default ESAPI configuration files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file "esapi-2.6.2.0-configuration.jar.asc" is a GPG signature of that jar file made by Kevin W. Wall.

• ba358e4 Corrected version to 2.6.2.0; was 2.7.0.0-SNAPSHOT.
• 38ce3a0 Correct release date.
• b68e753 Correct release date and other minor changes.
• fba99d8 Merge pull request #884 from kwwall/2.6.2.0
• af4c901 Merge pull request #882 from kwwall/develop
• 950a56b Updates to prep for ESAPI 2.6.2.0 release.
• 5d6e2fd Update guessed release date for 2.6.1.0 to its actual release date. (Maven Ce...
• 7067804 Bump commons-beanutils:commons-beanutils from 1.9.4 to 1.11.0 (#881)
• e2183d6 Prep 'develop' branch for next (SNAPSHOT) ESAPI release.
• See full diff in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)