fix(deps): update dependency com.google.guava:guava to v33

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
com.google.guava:guava	31.0.1-android -> 33.0.0-android

---

Release Notes

google/guava (com.google.guava:guava)

v32.1.3: 32.1.3

Compare Source

Maven

<dependency>
  <groupId>com.google.guava</groupId>
  <artifactId>guava</artifactId>
  <version>32.1.3-jre</version>
  <!-- or, for Android: -->
  <version>32.1.3-android</version>
</dependency>

Jar files

• 32.1.3-jre.jar
• 32.1.3-android.jar

Guava requires one runtime dependency, which you can download here:

• failureaccess-1.0.1.jar

Javadoc

• 32.1.3-jre
• 32.1.3-android

JDiff

• 32.1.3-jre vs. 32.1.2-jre
• 32.1.3-android vs. 32.1.2-android
• 32.1.3-android vs. 32.1.3-jre

Changelog

• Changed Gradle Metadata to include dependency versions directly. This may address "Could not find some-dependency" errors that some users have reported (which might be a result of users' excluding guava-parent). (c6d35cf)
• collect: Changed Multisets.unmodifiableMultiset(set).removeIf(predicate) to throw an exception always, even if nothing matches predicate. (61dbccf)
• graph: Fixed the behavior of Graph/ValueGraph views for a node when that node is removed from the graph. (9507996)
• io: Fixed Files.createTempDir and FileBackedOutputStream under Windows services, a rare use case. (The fix actually covers only Java 9+ because Java 8 would require an additional approach. Let us know if you need support under Java 8.) (f87f68c)
• net: Made MediaType.parse allow and skip over whitespace around the / and = separator tokens in addition to the ; separator, for which it was already being allowed. (2786f83)
• util.concurrent: Tweaked Futures.getChecked constructor-selection behavior: The method continues to prefer to call constructors with a String parameter, but now it breaks ties based on whether the constructor has a Throwable parameter. Beyond that, the choice of constructor remains undefined. (For this and other reasons, we discourage the use of getChecked.) (59cfb22)

v32.1.2: 32.1.2

Compare Source

Maven

<dependency>
  <groupId>com.google.guava</groupId>
  <artifactId>guava</artifactId>
  <version>32.1.2-jre</version>
  <!-- or, for Android: -->
  <version>32.1.2-android</version>
</dependency>

Jar files

• 32.1.2-jre.jar
• 32.1.2-android.jar

Guava requires one runtime dependency, which you can download here:

• failureaccess-1.0.1.jar

Javadoc

• 32.1.2-jre
• 32.1.2-android

JDiff

• 32.1.2-jre vs. 32.1.1-jre
• 32.1.2-android vs. 32.1.1-android
• 32.1.2-android vs. 32.1.2-jre

Changelog

• Removed the section of our Gradle metadata that caused Gradle to report conflicts with listenablefuture. (9ed0fa6)
• Changed our Maven project to avoid affecting which version of Mockito our Gradle users see. (71a16d5)
• collect: Under J2CL, exposed ImmutableList and ImmutableSet methods copyOf and of for JavaScript usage. (b41968f)
• net: Optimized InternetDomainName construction. (3a1d18f, eaa62eb)

v32.1.1: 32.1.1

Compare Source

Maven

<dependency>
  <groupId>com.google.guava</groupId>
  <artifactId>guava</artifactId>
  <version>32.1.1-jre</version>
  <!-- or, for Android: -->
  <version>32.1.1-android</version>
</dependency>

Jar files

• 32.1.1-jre.jar
• 32.1.1-android.jar

Guava requires one runtime dependency, which you can download here:

• failureaccess-1.0.1.jar

Javadoc

• 32.1.1-jre
• 32.1.1-android

JDiff

• 32.1.1-jre vs. 32.1.0-jre
• 32.1.1-android vs. 32.1.0-android
• 32.1.1-android vs. 32.1.1-jre

Changelog

• Fixed our broken Gradle metadata from 32.1.0. Sorry again for the trouble. If you use Gradle, please still read the release notes from that version: You may still see errors from the new checking that the metadata enables, and the release notes discuss how to fix those errors.

v32.1.0: 32.1.0

Compare Source

Warning: Our Gradle-metadata version numbers are broken. Read these notes, but upgrade straight to 32.1.2.

We made a mistake in our release script, so the new Gradle metadata (discussed below) has broken version numbers in 32.1.0. Sorry for the trouble and for the need for another quick patch release. We recommend upgrading straight to release 32.1.2, especially if you use Gradle or if you publish a library whose users might use Gradle. Still, read the release notes below if you use Gradle, since the fixed Gradle metadata in 32.1.2 may still require action on your part.

Maven

<dependency>
  <groupId>com.google.guava</groupId>
  <artifactId>guava</artifactId>
  <version>32.1.0-jre</version>
  <!-- or, for Android: -->
  <version>32.1.0-android</version>
</dependency>

Jar files

• 32.1.0-jre.jar
• 32.1.0-android.jar

Guava requires one runtime dependency, which you can download here:

• failureaccess-1.0.1.jar

Javadoc

• 32.1.0-jre
• 32.1.0-android

JDiff

• 32.1.0-jre vs. 32.0.1-jre
• 32.1.0-android vs. 32.0.1-android
• 32.1.0-android vs. 32.1.0-jre

Changelog

Gradle Module Metadata

Warning: We made a mistake in our release script, so this is broken in 32.1.0. We recommend upgrading straight to release 32.1.2, especially if you use Gradle or if you publish a library whose users might use Gradle. Still, read the release notes below if you use Gradle, since the fixed Gradle metadata in 32.1.2 may still require action on your part.

The Gradle team has contributed a metadata file for Guava. If you use Gradle 6 or higher, you will see better handling of two kinds of dependency conflicts, plus another small feature related to our dependencies. As a result of this change, you may see errors, which you can resolve as documented below. If you encounter a problem that isn't documented below, or if the documentation is unclear, please let us know.

If you use Gradle 6 (not 5, not 7+)

You may see an error like this one:

> Could not resolve all artifacts for configuration ':classpath'.
   > Could not resolve com.google.guava:guava:30.1-jre.
     Required by:
         project : > com.google.cloud.tools.jib:com.google.cloud.tools.jib.gradle.plugin:2.8.0 > gradle.plugin.com.google.cloud.tools:jib-gradle-plugin:2.8.0
      > The consumer was configured to find a runtime of a library compatible with Java 15, packaged as a jar, and its dependencies declared externally. However we cannot choose between the following variants of com.google.guava:guava:32.1.1-jre:
          - androidRuntimeElements
          - jreRuntimeElements
        All of them match the consumer attributes:
          - Variant 'androidRuntimeElements' capabilities com.google.collections:google-collections:32.1.1-jre and com.google.guava:guava:32.1.1-jre and com.google.guava:listenablefuture:1.0 declares a runtime of a library compatible with Java 8, packaged as a jar, and its dependencies declared externally:

If you do, you'll need to add something like this to a place where you configure the Java plugins:

sourceSets.all {
  configurations.getByName(runtimeClasspathConfigurationName) {
    attributes.attribute(Attribute.of("org.gradle.jvm.environment", String), "standard-jvm")
  }
  configurations.getByName(compileClasspathConfigurationName) {
    attributes.attribute(Attribute.of("org.gradle.jvm.environment", String), "standard-jvm")
  }
}

If you see an error about a duplicate ListenableFuture class

For example:

Execution failed for task ':app:checkDebugDuplicateClasses'.
> A failure occurred while executing com.android.build.gradle.internal.tasks.CheckDuplicatesRunnable
   > Duplicate class com.google.common.util.concurrent.ListenableFuture found in modules jetified-guava-32.1.1-android (com.google.guava:guava:32.1.1-android) and jetified-listenablefuture-1.0 (com.google.guava:listenablefuture:1.0)

This appears to be a Gradle bug.

@​mathisdt has provided a workaround:

dependencies {
### dependency definitions here ...
  modules {
    module("com.google.guava:listenablefuture") {
      replacedBy("com.google.guava:guava", "listenablefuture is part of guava")
    }
  }
}

Selecting the appropriate flavor

When Gradle automatically selects the newest version of Guava in your dependency graph, it will now also select the appropriate flavor (-android or -jre) based on whether you project targets Android or not. For example, if you depend on 32.1.0-android and 30.0-jre, Gradle will select 32.1.0-jre. This is the version most likely to be compatible with all your dependencies.

In the unusual event that you need to override Gradle's choice of flavor, you can do so as follows:

dependencies.constraints {
  implementation("com.google.guava:guava") {
    attributes {
      attribute(
        TargetJvmEnvironment.TARGET_JVM_ENVIRONMENT_ATTRIBUTE, 
        objects.named(TargetJvmEnvironment, TargetJvmEnvironment.ANDROID))
    }
  }
}

// If the above leads to a conflict error because there are additional transitive dependencies to Guava, then use:
configurations.all {
  resolutionStrategy.capabilitiesResolution.withCapability("com.google.guava:guava") {
    select(candidates.find { it.variantName.contains("android") })
  }
}

Reporting dependencies that overlap with Guava

If your dependency graph contains the very old google-collections or the hacky listenablefuture, Gradle will now report that those libraries contain duplicates of Guava classes. When this happens, you'll need to tell Gradle to select Guava:

configurations.all {
  resolutionStrategy.capabilitiesResolution.withCapability("com.google.collections:google-collections") {
    select("com.google.guava:guava:0")
  }
  // and/or
  resolutionStrategy.capabilitiesResolution.withCapability("com.google.guava:listenablefuture") {
    select("com.google.guava:guava:0")
  }
}

If that doesn't work, please let us know. And let us know whether our replacedBy workaround or these other workarounds work instead.

Omitting annotations at runtime

One dependency of Guava that is not needed at runtime (j2objc-annotations) is now omitted from the runtime classpath. (We may omit others in the future. See #​6606.)

Other changes

• collect: Tweaked more nullness annotations. (501a016, 5c23590)
• hash: Enhanced crc32c() to use Java's hardware-accelerated implementation where available. (65c7f10)
• util.concurrent: Added Duration-based default methods to ListeningExecutorService. (e7714b0)
• Began updating Javadoc to focus less on APIs that have been superseded by additions to the JDK. We're also looking to add more documentation that directs users to JDK equivalents for our APIs. Further PRs welcome! (c9efc47, 01dcc2e)
• Fixed some problems with using Guava from a Java Agent. (But we don't test that configuration, and we don't know how well we'll be able to keep it working.) (e42d4e8, de62703)
• Fixed BootstrapMethodError when using CacheBuilder from a custom system class loader. (As with the previous item, we're not sure how well we'll be able to keep this use case working.) (a667c38)
• Suppressed a harmless unusable-by-js warning seen by users of guava-gwt.

v32.0.1: 32.0.1

Compare Source

Maven

<dependency>
  <groupId>com.google.guava</groupId>
  <artifactId>guava</artifactId>
  <version>32.0.1-jre</version>
  <!-- or, for Android: -->
  <version>32.0.1-android</version>
</dependency>

Jar files

• 32.0.1-jre.jar
• 32.0.1-android.jar

Guava requires one runtime dependency, which you can download here:

• failureaccess-1.0.1.jar

Javadoc

• 32.0.1-jre
• 32.0.1-android

JDiff

• 32.0.1-jre vs. 32.0.0-jre
• 32.0.1-android vs. 32.0.0-android
• 32.0.1-android vs. 32.0.1-jre

Changelog

• io: Fixed Files.createTempDir and FileBackedOutputStream under Windows, which broke as part of the security fix in release 32.0.0. Sorry for the trouble. (fdbf77d)

v32.0.0: 32.0.0

Compare Source

Maven

<dependency>
  <groupId>com.google.guava</groupId>
  <artifactId>guava</artifactId>
  <version>32.0.0-jre</version>
  <!-- or, for Android: -->
  <version>32.0.0-android</version>
</dependency>

Jar files

• 32.0.0-jre.jar
• 32.0.0-android.jar

Guava requires one runtime dependency, which you can download here:

• failureaccess-1.0.1.jar

Javadoc

• 32.0.0-jre
• 32.0.0-android

JDiff

• 32.0.0-jre vs. 31.1-jre
• 32.0.0-android vs. 31.1-android
• 32.0.0-android vs. 32.0.0-jre

Changelog

Security fixes

• Reimplemented Files.createTempDir and FileBackedOutputStream to further address CVE-2020-8908 (#​4011) and CVE-2023-2976 (#​2575). (feb83a1)

While CVE-2020-8908 was officially closed when we deprecated Files.createTempDir in Guava 30.0, we've heard from users that even recent versions of Guava have been listed as vulnerable in other databases of security vulnerabilities. In response, we've reimplemented the method (and the very rarely used FileBackedOutputStream class, which had a similar issue) to eliminate the insecure behavior entirely. This change could technically affect users in a number of different ways (discussed under "Incompatible changes" below), but in practice, the only problem users are likely to encounter is with Windows. If you are using those APIs under Windows, you should skip 32.0.0 and go straight to 32.0.1 which fixes the problem. (Unfortunately, we didn't think of the Windows problem until after the release. And while we warn that common.io in particular may not work under Windows, we didn't intend to regress support.) Sorry for the trouble.

Incompatible changes

Although this release bumps Guava's major version number, it makes no binary-incompatible changes to the guava artifact.

One change could cause issues for Widows users, and a few other changes could cause issues for users in more usual situations:

• The new implementations of Files.createTempDir and FileBackedOutputStream throw an exception under Windows. This is fixed in 32.0.1. Sorry for the trouble.
• guava-gwt now requires GWT 2.10.0.
• This release makes a binary-incompatible change to a @Beta API in the separate artifact guava-testlib. Specifically, we changed the return type of TestingExecutors.sameThreadScheduledExecutor to ListeningScheduledExecutorService. The old return type was a package-private class, which caused the Kotlin compiler to produce warnings. (dafaa3e)
• This release adds two methods to the Android flavor of Guava: Invokable.getAnnotatedReturnType() and Parameter.getAnnotatedType(). Those methods do not work under an Android VM; we added them only to help our tests of the Android flavor (since we also run those tests under a JRE). Android VMs tolerate such methods as long as the app does not call them or perform reflection on them, and builds tolerate them because of our new Proguard configurations (discussed below). Thus, we expect no impact to most users. However, we could imagine build problems for users who have set up their own build system for the Android flavor of Guava. Please report any problems so that we can judge how safely we might be able to add other methods to the Android flavor in the future, such as APIs that use Java 8 classes like Stream. (b30e73c)
• This release removes various APIs from the guava-gwt. This affects only users of GWT. The APIs we removed are Enums, Sets.complementOf, and the Enum*BiMap classes' keyType() and valueType() methods. These changes prepare for the removal of reflective enum-related APIs from J2CL. If one of these changes causes you problems as a GWT user, let us know. (c3a155d, 09db2c2, 3de12be)
• The new implementations of Files.createTempDir and FileBackedOutputStream are annotated as @J2ObjCIncompatible. If you need to use them under J2ObjC, contact us. (56dc928)
• Because the new version of Files.createTempDir restricts permissions to the current user, it could break any caller that relies on letting other users access the directory.
• The new versions of Files.createTempDir and FileBackedOutputStream throw an exception if they can't create the directory or file securely. Aside from the accidental Windows bug discussed above, this is possible only under Android Ice Cream Sandwich, a very old version of Android that is the oldest one we test Guava with.

Other changes

• Removed @Beta from almost all APIs. For details, see the bottom of the release notes. At this point, it's probably simpler to look at a list of APIs that still are @Beta, such as this list for guava-jre. Most of the remaining @Beta APIs are in graph and hash.
• Enhanced the Guava jar to include Proguard configurations that are picked up automatically by the Android Gradle Plugin. This should help with warnings that were promoted to errors in Android Gradle Plugin 8.x. (aeba1e1)
• Enhanced the Guava jar to include information about method parameters in its class files. If you use static analyzers that look at method-parameter names, you may see new warnings or errors if they are now able to detect mismatches. But mostly, you may see better tooltips and autocompletion in IDEs. (59d174c)
• Improved nullness annotations on a few classes.
• Modified classes with "serial proxies" to declare exception-throwing readObject methods, in accordance with best practice. (e62d6a0)
• collect: Fixed Maps.newHashMapWithExpectedSize to stop allocating maps that were larger than they needed to be. (6ad621e)
• collect: Made various APIs work J2CL: Maps.immutableEnumMap+toImmutableEnumMap, EnumMultiset, CollectorTester. Previously, the APIs were present but failed at runtime. (b62c88e, 23ff918, 852a7d3)
• collect: Optimized memory usage for Interner and MapMaker. (a2e8f3c)
• graph: Changed directed graphs to reject attempts to add undirected edges. (76260d9)
• io: Added BaseEncoding.ignoreCase() to support case-insensitive decoding. (9c1e5de)
• net: Added HttpHeaders constants:
  • No-Vary-Search (688b9c2)
  • Sec-CH-DPR (75a3d4d)
  • Sec-CH-UA-Wow64 (49e6b9c)
  • Sec-CH-Viewport-Width and Sec-CH-Viewport-Height (44df85a)
  • Supports-Loading-Mode (0d5c16f)
• net: Added the MediaType constant for JWT. (f942fd2)
• primitives: Added rotate() for arrays of all primitive types. (cd338fa, 6e9057d)
• util.concurrent: Changed AbstractFuture to run interruptTask() just before afterDone(). Until this change, it ran slightly earlier than that: We used to run it before unblocking any pending get() calls, and now we run it after. (b337be6)
• util.concurrent: Fixed some cases in which we could catch InterruptedException but fail to restore the interrupt bit. (8f0350a)

@Beta removal list

• base: Utf8 (211907c)
• base: more APIs (b0cc461)
• collect: Multimaps.asMap(...) (df0081f)
• collect: FluentIterable APIs (73b2f7b)
• collect: Forwarding[Foo] APIs (9760dbc)
• collect: ImmutableFoo.Builder.builderWithExpectedSize(...), orderEntriesByValue(...), and Entry-related APIs (61be35c)
• collect: RangeMap, RangeSet, and friends (fe12c81)
• collect: more APIs (98820c7, e5e0f66)
• io: ByteStreams (4897930)
• io: more APIs (a589256)
• math: various APIs (912815e)
• primitives: Longs.tryParse(...) and friends (b3d4856)
• primitives: UnsignedLongs (b240e8c)
• primitives: more APIs (fcec25f, ab4302a)
• reflect: Invokable and some methods in TypeToken (a195f7d)
• reflect: Parameter (except getAnnotatedType() in guava-android) (b561eb1)
• testing: various APIs (b331769, 74ad9b8)
• util.concurrent: FluentFuture (b9a2d58)
• util.concurrent: Futures (15a0c9f)
• util.concurrent: Striped (ba8ad69)
• util.concurrent: various MoreExecutors APIs (a3571b4)
• util.concurrent: more APIs (bbaf76a)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[cloudflare-pages]

Deploying with    Cloudflare Pages

Latest commit:	dd9932f
Status:	✅  Deploy successful!
Preview URL:	https://f3c30e56.immich.pages.dev
Branch Preview URL:	https://renovate-major-guava-monorep.immich.pages.dev

View logs