It's not designed to be merged, but there is a PR with this change in it---
https://github.com/apache/beam/pull/27695/files#diff-0435a83a413ec063bf7e682cadcd56776cd18fc878f197cc99a65fc231ef2047 On Mon, Jul 31, 2023 at 10:07 AM Ahmet Altay via dev <dev@beam.apache.org> wrote: > Hi Hong, > > Thank you for reaching out and thank you for offering to help. If you can > start the PR and do the testing, one of the committers could help with the > process. > > Thank you! > Ahmet > > On Mon, Jul 31, 2023 at 9:13 AM Hong Teoh <hlteo...@gmail.com> wrote: > >> Hi all, >> >> The current version of guava that is vended in Beam is >> com.google.guava:guava:26.0-jre. >> >> This version is really old, and has active vulnerabilities [1] [2] >> [1] https://mvnrepository.com/artifact/com.google.guava/guava/26.0-jre >> [2] CVE-2023-2976 >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2976 >> [3] CVE-2020-8908 >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908 >> >> Is there anyone else keen on upgrading the vended guava version to match >> the guava version of 32.1.1-jre ? [4] >> [4] >> https://github.com/apache/beam/blame/df6964aac62a521081481b21c96ecd506ea3c503/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy#L542 >> >> I am happy to contribute the PR to upgrade the guava dependencies in the >> Beam repository, but I would need a committer to drive the release of the >> vended version first! [5] >> [5] >> https://docs.google.com/document/d/1ztEoyGkqq9ie5riQxRtMuBu3vb6BUO91mSMn1PU0pDA/edit#heading=h.vhcuqlttpnog >> >> >> Side question: Does anyone know why we have libraries that use the >> non-vended guava version? [6] >> [6] >> https://github.com/search?q=repo%3Aapache%2Fbeam%20library.java.guava&type=code >> > > @Kenneth Knowles <k...@google.com> - might know. > > >> >> >> >> Regards, >> Hong >> >
