At SAS, we use and contribute to a wide range of open source projects. This series – SAS Contributes – highlights how our teams give back to the open source community.
When your software depends on critical open source infrastructure, you have a choice: You can hope the community keeps it healthy for you, or you can step in and contribute to maintaining it. For SAS, Apache Geode was one of those inflection points.
Geode has long been a foundational technology inside SAS 9. The distributed, in-memory data grid, originally derived from VMware Gemfire, has powered large-scale, real-time data access across SAS middle-tier services. But by late 2022, the project was drifting toward the Apache “attic”: no new releases, mounting security issues, broken infrastructure, and nearly 1,700 open issues. Geode was becoming a risk for everyone depending on it, including SAS.
“The Geode community came to us and said, 'You know, we're going to throttle down this Geode project and eventually get rid of it.' And SAS 9 uses it. A lot. It's a critical component. That was a huge motivating factor for getting involved.”
— William Hodges, Senior Software Developer
Why SAS Got Involved
The need was urgent. SAS 9 relied on Geode, which was stuck on Java 8, while SAS needed to move its platform to Java 17 and beyond for security, supportability and modernization. In addition, Geode carried 15 known CVEs, several unreported vulnerabilities, and aging dependencies across its stack.
“We wound up playing the role of penetration testers, seeing how an attacker would gain access to the system.”
— William Hodges
The SAS 9 engineering team began addressing these issues internally because they were blocking SAS' modernization plans. Rewriting an internal alternative wasn’t feasible. Supporting the open source Geode project and contributing fixes upstream was the most sustainable path.
Breathing new life into Geode
What began as a maintenance effort quickly became a full-scale revival.
SAS team members – including Jinwoo Hwang, William Hodges, Kaajal Nanavati, Ventsislav Marinov, Patrick Harmon and Sheila Riley – contributed patches that fixed critical security vulnerabilities, upgraded core libraries, modernized the build system and transitioned Geode toward modern standards.
“What began as an internal effort at SAS Institute Inc. to address critical security vulnerabilities evolved into a community-driven revival that touched more than 800 files, added 18,000+ lines of code, and modernized every major subsystem, from the build infrastructure and security layer to the command-line interface and web containers, while maintaining full test coverage and zero compilation errors.”
— Jinwoo Hwang, Principal Software Developer
These contributions enabled the following significant updates:
- Migration from javax.* to jakarta.*
- Support for Java 17 LTS and testing with Java 21.
- Updates to Spring Framework 6.x, Spring Security 6.x.
- Updates to Apache HttpComponents 5.x (HTTP/2).
- Removal of unsafe reflection usage.
- Major dependency upgrades across Jetty, Jackson, JGroups, Lucene, Commons and others.
These were not small changes. They were the kind of foundational improvements needed to ensure the project could continue to survive and evolve.
“This wasn't just a version bump; it was a complete architectural realignment that secured Apache Geode's future as a viable, maintainable, and secure platform for enterprise distributed systems, demonstrating that even the most complex legacy projects can be modernized through persistence, community collaboration and commitment to open source principles.”
— Jinwoo Hwang
SAS also worked through the Apache Software Foundation’s contribution processes, securing contributor agreements, splitting large internal change sets into reviewable PRs and collaborating constructively with longtime Geode maintainers.
The result? The first new Geode release in nearly three years.
Bigger than SAS
SAS’ efforts didn’t just improve the code. They helped reignite the community.
One of the most rewarding outcomes of SAS’s collaboration has been the reaction from the Geode community. As SAS colleagues began contributing fixes, other contributors began to reengage with the project – submitting PRs aligned with the project’s new roadmap, joining conversations about modernization and helping stabilize CI workflows. New contributors and committers also brought renewed energy to rethinking and revising the project’s release governance process.
“The major code was done by our team, but we had a lot of help from expertise from other folks externally. They were veteran developers there for more than a decade. They helped us to review and revise our implementation. It was a collaboration of our team and our external team as well.”
— Jinwoo Hwang
SAS’ work led to two major milestones:
- Geode 1.15.2: The first release since 2022, addressing long‑standing vulnerabilities and dependency issues.
- Geode 2.0.0: The most significant update in the project’s modern history and the first major version released in nearly a decade – led by SAS’ Jinwoo Hwang, who served as lead developer, project manager, and release manager.
Geode 2.0 made headlines. It isn’t just a symbolic milestone; it marks a renewed and active project community, a much more stable CI pipeline, and a clear modernization roadmap.
“I'm a new member of SAS and use Geode a lot. So, for me, the main motivation was to learn a little more about Geode in general. And then to be able to help the project because it was going into the attic – I thought it's just a win-win.”
— Ventsislav Marinov, Senior Software Developer
Participating in Geode development also helped SAS engineers enhance their own practice and learn from community members, many of whom have been working on the project for a decade.
“To see that someone else in the community is doing the same type of thing, and how they decide to tackle the problem…it's just so interesting.”
— Patrick Harmon, Senior Software Developer
What’s next
The SAS team continues to:
- Modernize Geode APIs and dependencies.
- Improve security scanning and stability.
- Update SAS 9’s Geode bundles and deployment tooling.
Crucially, the team wants to balance responsibilities, keeping SAS-specific integrations in-house while transitioning core Geode work to open, transparent collaboration with the wider community. The long-term goal is simple: ensure Geode thrives as a healthy, open source project that is useful not just to SAS but to any team that relies on this powerful distributed data engine.
Becoming better open source citizens
The “SAS Contributes” series exists because contributing to open source is about more than consuming it. SAS (and the world beyond it) uses enormous amounts of open source technology, from Kubernetes to Python to the data and compute infrastructure on which our products rely.
“We can showcase our capability or our inclination to contribute to our industry, not just SAS products – showing our customers that we are capable of helping our industry, and we are capable of sharing our knowledge, paying it forward and sharing our kindness and generosity.”
— Jinwoo Hwang
For SAS, giving back is a matter of responsibility, credibility, and community health. OpenSearch is one example. Apache Geode is another. And it won’t be the last.
