Skip to content

Bump to the latest Guava version to avoid CVEs and be up to date #295

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

Bump to the latest Guava version to avoid CVEs and be up to date #295

wants to merge 2 commits into from

Conversation

@casewalker
Copy link

@casewalker casewalker commented Dec 13, 2023
edited
Loading

Upgrades past CVE-2023-2976 and CVE-2020-8908 to the latest Guava version.

@casewalker
Copy link
Author

@mikesamuel If you could take a look, that would be greatly appreciated.

@melloware
Copy link

+1

@maxibarros
Copy link

+1 @mikesamuel

melloware
melloware suggested changes Dec 19, 2023
View reviewed changes
@subbudvk
Copy link
Contributor

subbudvk commented Dec 20, 2023
edited
Loading

I think dependabot can create such PR. Saw one for another version - #284. Also there is some PR on removing the dependency #272

@casewalker
Copy link
Author

@subbudvk If you read the comments on the PR you linked and check the Guava link I shared above, you'll see that the Dependabot PR is trying to upgrade from one vulnerable version to another vulnerable version.

@casewalker
Copy link
Author

@jmanico Hello, I saw that you recently reviewed a PR in this repo. I am trying to have some CVEs addressed by bumping to the latest version of Guava. If you could review this PR, that would be greatly appreciated.

Thanks!

@melloware
Copy link

@casewalker this can be closed now that #272 has been merged

@mikesamuel
Copy link
Contributor

This is obviated by 3b6cc1b which removes the guava dependency entirely

@mikesamuel mikesamuel closed this Jan 15, 2024
@casewalker
Copy link
Author

Beautiful, thanks for addressing the underlying issue!!

@casewalker casewalker deleted the patch-1 branch January 15, 2024 19:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@melloware melloware melloware requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@casewalker @melloware @maxibarros @subbudvk @mikesamuel