Sorry - meant to send this to a different mailing list -.-
> On 31 Jul 2023, at 15:58, Hong Teoh <hlteo...@gmail.com> wrote: > > Hi all, > > The current version of guava that is vendored in Beam is > com.google.guava:guava:26.0-jre. > > This version is really old, and has active vulnerabilities [1] [2] > [1] https://mvnrepository.com/artifact/com.google.guava/guava/26.0-jre > [2] CVE-2023-2976 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2976 > [3] CVE-2020-8908 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908 > > Is there anyone else keen on upgrading the vendored guava version to match > the guava version of 32.1.1-jre ? [4] > [4] > https://github.com/apache/beam/blame/df6964aac62a521081481b21c96ecd506ea3c503/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy#L542 > > I am happy to contribute the PR to upgrade the guava dependencies in the Beam > repository, but I would need a committer to drive the release of the vendored > version first! [5] > [5] > https://docs.google.com/document/d/1ztEoyGkqq9ie5riQxRtMuBu3vb6BUO91mSMn1PU0pDA/edit#heading=h.vhcuqlttpnog > > > Side question: Does anyone know why we have libraries that use the > non-vendored guava version? [6] > [6] > https://github.com/search?q=repo%3Aapache%2Fbeam%20library.java.guava&type=code > > > Regards, > Hong
