Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

deps: Update Guava to 32.0.0 #12953

Closed
wants to merge 1 commit into from
Closed

deps: Update Guava to 32.0.0 #12953

wants to merge 1 commit into from

Conversation

chadlwilson
Copy link
Contributor

@chadlwilson chadlwilson commented Jun 1, 2023

Updates Guava to 32.0.0 to include fixes for CVE-2020-8908 and CVE-2023-2976 (google/guava#2575) which affects certain builds with shaded usage, e.g ruby via jruby/java platform such as https://rubygems.org/gems/google-protobuf/versions/3.23.2-java

May need backporting to 23.x branch if sufficiently compatible.

@chadlwilson chadlwilson requested a review from a team as a code owner June 1, 2023 08:51
@chadlwilson chadlwilson requested review from shaod2 and removed request for a team June 1, 2023 08:51
@hlopko hlopko added the java label Jun 5, 2023
@fowles fowles requested review from googleberg and removed request for shaod2 June 7, 2023 17:26
@fowles fowles added the 🅰️ safe for tests Mark a commit as safe to run presubmits over label Jun 7, 2023
@chadlwilson
Copy link
Contributor Author

Thanks! Not sure if there is an automated backport review process, but created #13002 if useful (cherrypicked from the copybara main commit).

copybara-service bot pushed a commit that referenced this pull request Jun 20, 2023
Follow-up from #12953 to update to `32.0.1` to fix an issue on windows:

https://github.com/google/guava/releases/tag/v32.0.1

The underlying issue likely does not affect protobuf as it does not appear to (directly) use the affected `Files.createTempDir` or `FileBackedOutputStream` code which was apparently broken on Windows in `32.0.0`.

Seems best to update anyway.

Closes #13099

COPYBARA_INTEGRATE_REVIEW=#13099 from chadlwilson:bump-guava-3201 30bd3f7
PiperOrigin-RevId: 541960623
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
🅰️ safe for tests Mark a commit as safe to run presubmits over java
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants