Dependencies not upgraded

[akankshagaur]

Hi,

I see that Google endpoints framework releases do not contain the latest releases of its dependent libraries which have security vulnerabilities.

For. E.g Guava dependency version used is 20 while latest version is 25.1. Also, since guava is based on checker framework which is GPL, won't it affect developers?
Is there an alternative for checker framework which can be used in endpoints framework?

Thanks

[tangiel]

The particular library which Guava depends on in the Checker Framework is MIT licensed, so that is not an issue.

[tangiel]

So there is an issue in that Guava 21+ requires Java 8, unless you use the -android dependency. Right now App Engine still supports Java 7 so we have to support it. But that could also mean classpath conflicts with people who use the Java 8 runtime and the -jre dependency. I'm not entirely sure what the best solution is right now.

[akankshagaur]

Ok,that clarifies the issue. Thanks