Hi all, The current version of guava that is vended in Beam is com.google.guava:guava:26.0-jre.
This version is really old, and has active vulnerabilities [1] [2] [1] https://mvnrepository.com/artifact/com.google.guava/guava/26.0-jre [2] CVE-2023-2976 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2976 [3] CVE-2020-8908 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908 Is there anyone else keen on upgrading the vended guava version to match the guava version of 32.1.1-jre ? [4] [4] https://github.com/apache/beam/blame/df6964aac62a521081481b21c96ecd506ea3c503/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy#L542 I am happy to contribute the PR to upgrade the guava dependencies in the Beam repository, but I would need a committer to drive the release of the vended version first! [5] [5] https://docs.google.com/document/d/1ztEoyGkqq9ie5riQxRtMuBu3vb6BUO91mSMn1PU0pDA/edit#heading=h.vhcuqlttpnog Side question: Does anyone know why we have libraries that use the non-vended guava version? [6] [6] https://github.com/search?q=repo%3Aapache%2Fbeam%20library.java.guava&type=code Regards, Hong
