Hi Hong, Thank you for reaching out and thank you for offering to help. If you can start the PR and do the testing, one of the committers could help with the process.
Thank you! Ahmet On Mon, Jul 31, 2023 at 9:13 AM Hong Teoh <hlteo...@gmail.com> wrote: > Hi all, > > The current version of guava that is vended in Beam is > com.google.guava:guava:26.0-jre. > > This version is really old, and has active vulnerabilities [1] [2] > [1] https://mvnrepository.com/artifact/com.google.guava/guava/26.0-jre > [2] CVE-2023-2976 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2976 > [3] CVE-2020-8908 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908 > > Is there anyone else keen on upgrading the vended guava version to match > the guava version of 32.1.1-jre ? [4] > [4] > https://github.com/apache/beam/blame/df6964aac62a521081481b21c96ecd506ea3c503/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy#L542 > > I am happy to contribute the PR to upgrade the guava dependencies in the > Beam repository, but I would need a committer to drive the release of the > vended version first! [5] > [5] > https://docs.google.com/document/d/1ztEoyGkqq9ie5riQxRtMuBu3vb6BUO91mSMn1PU0pDA/edit#heading=h.vhcuqlttpnog > > > Side question: Does anyone know why we have libraries that use the > non-vended guava version? [6] > [6] > https://github.com/search?q=repo%3Aapache%2Fbeam%20library.java.guava&type=code > @Kenneth Knowles <k...@google.com> - might know. > > > > Regards, > Hong >
