-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerabilities referenced in version 7 #1798
Comments
This problem was resolved more than one year ago, when dependabot updated the Guava version to 32.0.0-jre. Currently, on master it's 33.0.0-jre, but there's still not a new Guice version. |
Are there any plans for a small release (7.0.1 or 7.1.0) to bump insecure dependencies? |
Hi, You should be able to solve the problem by overriding the Guava version used by Guice. Exclude the Guava dependency from Guice using and then add a separate Guava dependency with a version that does not have vulnerabilities. |
@andrejgasteovski Yes, this is our current workaround. But it is still additional effort that needs to be done by all users of Guice and in my particular case in a regulated environment this measure also has a paper trail... |
@andrejgasteovski I agree with @winne42. The cost of releasing a new version seems small to me relative to that of requiring every single project using Guice (dozens of thousands) to configure their build tool to override a dependency. |
Workaround as discussed in the thread above:
[versions]
guava = { strictly = "33.3.1-jre" }
guice = "7.0.0"
[libraries]
guava = { module = "com.google.guava:guava", version.ref = "guava" }
guice = { module = "com.google.inject:guice", version.ref = "guice" } But agree with the general sentiment shared above that a patch version of |
ref: google/guice#1798 Signed-off-by: Open592 Developer <uss@open592.com>
Hi
Looking @ version 7 and there are two Vulnerabilities
Vulnerabilities from dependencies:
CVE-2023-2976
CVE-2020-8908
Can these be addressed?
talks about "access to the machine". I always assume if that is the case you are already Vulnerable.
The text was updated successfully, but these errors were encountered: