Update Apache Http Client in 1.29.0?

[ThexXTURBOXx]

The 1.28.0-update for the legacy Google-Apache-Http-Client downgraded it to 4.2.6.
Was this downgrade really neccessary?
According to snyk.io, the downgrade introduced 3 "new" vulnerabilities.
I was upgrading from version 1.27.0 to the newest one, because the vulnerability with the old Guava version is gone now, but it isn't worth staying up-to-date, when there are 3 new ones.

P.S. Sorry for not filling out the Issue Template, but I don't think, that it is neccessary for just this question.

[elharo]

Can you be more specific about exactly which artifact you're referring to and where it is in our pom.xml? If it's the one I think, it is currently 4.5.5 at HEAD but we may not be looking at the same thing.

[ThexXTURBOXx]

I'm using

<dependency>
    <groupId>com.google.http-client</groupId>
    <artifactId>google-http-client-apache</artifactId>
    <version>1.28.0</version>
    <scope>compile</scope>
</dependency>

in my pom.xml.
It seems like, it is using a very old version of HTTPClient: https://github.com/googleapis/google-http-java-client/blob/master/google-http-client-apache-legacy/pom.xml#L108

[elharo]

google-http-client-apache is not the same as google-http-client-apache-legacy. The artifact you are using has a more recent dependency.

Not sure why google-http-client-apache-legacy exists, but I'd guess some system somewhere needs the older version for some reason. Maybe someone else can explain that.

[ThexXTURBOXx]

I'm aware, that they are not the same, but the artifact I am using is built in the legacy-module and uses the old Version of Apache HTTP Client.
The 1.x versions are built within the legacy Module appearently and only the 2.x versions in the Module without the "-legacy" suffix.
I dont want to update to 2.x, because I would have to rewrite nearly everything.
If you go to this Page:
https://mvnrepository.com/artifact/com.google.http-client/google-http-client-apache
There are two artifacts:
The 1.28.0 is the version I am using. It's built in the legacy Module.
The 2.0.0 is built in the normal Module.
The 1.28.0 uses the 4.2.2 Version of Apache's Client.

[elharo]

There is a 1.28.0 version of google-http-client-apache. What does the classpath include?

[ThexXTURBOXx]

If there is Another Version, I don't find it then.
I just find the 1.28.0, whose source Code is in the legacy Module, and the 2.0.0, whose source Code is in the normal module

[chingor13]

In 1.28.0, the Apache extensions were pulled into a separate artifact google-http-client-apache. The 1.x version matched the exact old API which really only worked for older (~4.2.x) versions of Apache HttpClient. A 2.0 version was also released with code that works with recent versions of Apache HttpClient.

In 1.29.0 this was undone and the 1.x version was pulled back into the primary google-http-client artifact.

In 1.30.0, we will be leaving the legacy version (but deprecated) in the google-http-client artifact and release a google-http-client-apache-v2 artifact which has the new extensions under a new, separate package com.google.api.client.http.apache.v2.