Hi Hong, Thanks for bringing this up. Sure, I would like to volunteer to work as release manager [1] to vendor guava 32.1.2-jre. Created GitHub Issue for tracking [2].
Regards, Yi [1] https://s.apache.org/beam-release-vendored-artifacts [2] https://github.com/apache/beam/issues/27801 On Mon, Jul 31, 2023 at 1:08 PM Ahmet Altay via dev <dev@beam.apache.org> wrote: > Hi Hong, > > Thank you for reaching out and thank you for offering to help. If you can > start the PR and do the testing, one of the committers could help with the > process. > > Thank you! > Ahmet > > On Mon, Jul 31, 2023 at 9:13 AM Hong Teoh <hlteo...@gmail.com> wrote: > >> Hi all, >> >> The current version of guava that is vended in Beam is >> com.google.guava:guava:26.0-jre. >> >> This version is really old, and has active vulnerabilities [1] [2] >> [1] https://mvnrepository.com/artifact/com.google.guava/guava/26.0-jre >> [2] CVE-2023-2976 >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2976 >> [3] CVE-2020-8908 >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908 >> >> Is there anyone else keen on upgrading the vended guava version to match >> the guava version of 32.1.1-jre ? [4] >> [4] >> https://github.com/apache/beam/blame/df6964aac62a521081481b21c96ecd506ea3c503/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy#L542 >> >> I am happy to contribute the PR to upgrade the guava dependencies in the >> Beam repository, but I would need a committer to drive the release of the >> vended version first! [5] >> [5] >> https://docs.google.com/document/d/1ztEoyGkqq9ie5riQxRtMuBu3vb6BUO91mSMn1PU0pDA/edit#heading=h.vhcuqlttpnog >> >> >> Side question: Does anyone know why we have libraries that use the >> non-vended guava version? [6] >> [6] >> https://github.com/search?q=repo%3Aapache%2Fbeam%20library.java.guava&type=code >> > > @Kenneth Knowles <k...@google.com> - might know. > > >> >> >> >> Regards, >> Hong >> >
