Skip to content

18.7

Compare
Choose a tag to compare
@dondonz dondonz released this 15 Aug 06:21
ffd0017

This is a special release with only one change, which updates the Guava version to v32.1.1.

This release does not change any code in graphql-java. It is only to keep security scanners happy.

graphql-java shades in selected classes of Guava. graphql-java never used the classes affected by CVE-2023-2976, but nevertheless the Guava version number appears in metadata, which is read by security scanners. While we previously released a version of graphql-java with the patched Guava version, this initial patched version had an issue with the Windows release. This caused some security scanners to still consider the initial patched version as "vulnerable". This release updates the Guava version to 32.1.1 which does not have the Windows release problem.

More details: #3263