Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

com.google.guava:guava library version update #1214

Closed
MaskedRedstonerProZ opened this issue Dec 26, 2023 · 2 comments
Closed

com.google.guava:guava library version update #1214

MaskedRedstonerProZ opened this issue Dec 26, 2023 · 2 comments
Assignees
@cpovirk
Labels
P2 has an ETA

Comments

@MaskedRedstonerProZ
Copy link

The current version of guava contained in the project contains a vulnerability (CVE-2023-2976). As that has been fixed in a later version of guava, I believe said later version should be integrated into the Truth project. Something which I believe to be able and am willing to do as my contribution to the project.
@eamonnmcmanus eamonnmcmanus added the P2 has an ETA label Dec 27, 2023
@cpovirk
Copy link
Member

cpovirk commented Dec 27, 2023

I believe that Truth 1.2.0 depends on Guava 33.0.0, which is not vulnerable. Can you point me to where you're seeing another version?

@MaskedRedstonerProZ
Copy link
Author

Apologies sir, my IDE failed to notify me of a new update in the truth library, the vulnerable guava version is seen in truth 1.1.3, as such, I assumed it was the latest one, and didn't notice the releases. I will try to figure out what the issue is, and why my IDE didn't flag truth 1.1.3 as outdated and update it, I will also close this issue if you don't mind

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cpovirk cpovirk

Labels
P2 has an ETA
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cpovirk @eamonnmcmanus @MaskedRedstonerProZ