This is an automated email from the ASF dual-hosted git repository.

spmallette pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tinkerpop.git


The following commit(s) were added to refs/heads/master by this push:
     new 5aae2577c2 Bump guava to 33.6.0-jre
5aae2577c2 is described below

commit 5aae2577c29c7af7e295ef0860eb6eb5d4816cb8
Author: Stephen Mallette <[email protected]>
AuthorDate: Wed Jul 1 14:02:30 2026 -0400

    Bump guava to 33.6.0-jre
    
    Clears CVE-2023-2976 / CVE-2020-8908 from the shipped transitive
    dependency tree. Validated with a full mvn clean install.
    
    Assisted-by: Claude Code:claude-opus-4-8
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 8e6a0569ae..646b2ddf19 100644
--- a/pom.xml
+++ b/pom.xml
@@ -164,7 +164,7 @@ limitations under the License.
           don't really use guava directly, but there are a lot of jar 
conflicts around it,
           so centralizing that dependency version here
         -->
-        <guava.version>31.0.1-jre</guava.version>
+        <guava.version>33.6.0-jre</guava.version>
         <!--
           don't think we need guice 7 at the moment - the only difference with 
6 is that
           it supports the jakarta.inject namespace which tinkerpop doesn't 
fuss with

Reply via email to