fix(deps): update dependency com.google.guava:guava to v33 #5390
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
31.0.1-android
->33.0.0-android
Release Notes
google/guava (com.google.guava:guava)
v32.1.3
: 32.1.3Compare Source
Maven
Jar files
Guava requires one runtime dependency, which you can download here:
Javadoc
JDiff
Changelog
some-dependency
" errors that some users have reported (which might be a result of users' excludingguava-parent
). (c6d35cf
)collect
: ChangedMultisets.unmodifiableMultiset(set).removeIf(predicate)
to throw an exception always, even if nothing matchespredicate
. (61dbccf
)graph
: Fixed the behavior ofGraph
/ValueGraph
views for a node when that node is removed from the graph. (9507996
)io
: FixedFiles.createTempDir
andFileBackedOutputStream
under Windows services, a rare use case. (The fix actually covers only Java 9+ because Java 8 would require an additional approach. Let us know if you need support under Java 8.) (f87f68c
)net
: MadeMediaType.parse
allow and skip over whitespace around the/
and=
separator tokens in addition to the;
separator, for which it was already being allowed. (2786f83
)util.concurrent
: TweakedFutures.getChecked
constructor-selection behavior: The method continues to prefer to call constructors with aString
parameter, but now it breaks ties based on whether the constructor has aThrowable
parameter. Beyond that, the choice of constructor remains undefined. (For this and other reasons, we discourage the use ofgetChecked
.) (59cfb22
)v32.1.2
: 32.1.2Compare Source
Maven
Jar files
Guava requires one runtime dependency, which you can download here:
Javadoc
JDiff
Changelog
listenablefuture
. (9ed0fa6
)71a16d5
)collect
: Under J2CL, exposedImmutableList
andImmutableSet
methodscopyOf
andof
for JavaScript usage. (b41968f
)net
: OptimizedInternetDomainName
construction. (3a1d18f
,eaa62eb
)v32.1.1
: 32.1.1Compare Source
Maven
Jar files
Guava requires one runtime dependency, which you can download here:
Javadoc
JDiff
Changelog
v32.1.0
: 32.1.0Compare Source
Warning: Our Gradle-metadata version numbers are broken. Read these notes, but upgrade straight to 32.1.2.
We made a mistake in our release script, so the new Gradle metadata (discussed below) has broken version numbers in 32.1.0. Sorry for the trouble and for the need for another quick patch release. We recommend upgrading straight to release 32.1.2, especially if you use Gradle or if you publish a library whose users might use Gradle. Still, read the release notes below if you use Gradle, since the fixed Gradle metadata in 32.1.2 may still require action on your part.
Maven
Jar files
Guava requires one runtime dependency, which you can download here:
Javadoc
JDiff
Changelog
Gradle Module Metadata
Warning: We made a mistake in our release script, so this is broken in 32.1.0. We recommend upgrading straight to release 32.1.2, especially if you use Gradle or if you publish a library whose users might use Gradle. Still, read the release notes below if you use Gradle, since the fixed Gradle metadata in 32.1.2 may still require action on your part.
The Gradle team has contributed a metadata file for Guava. If you use Gradle 6 or higher, you will see better handling of two kinds of dependency conflicts, plus another small feature related to our dependencies. As a result of this change, you may see errors, which you can resolve as documented below. If you encounter a problem that isn't documented below, or if the documentation is unclear, please let us know.
If you use Gradle 6 (not 5, not 7+)
You may see an error like this one:
If you do, you'll need to add something like this to a place where you configure the Java plugins:
If you see an error about a duplicate
ListenableFuture
classFor example:
This appears to be a Gradle bug.
@mathisdt has provided a workaround:
Selecting the appropriate flavor
When Gradle automatically selects the newest version of Guava in your dependency graph, it will now also select the appropriate flavor (
-android
or-jre
) based on whether you project targets Android or not. For example, if you depend on 32.1.0-android and 30.0-jre, Gradle will select 32.1.0-jre. This is the version most likely to be compatible with all your dependencies.In the unusual event that you need to override Gradle's choice of flavor, you can do so as follows:
Reporting dependencies that overlap with Guava
If your dependency graph contains the very old
google-collections
or the hackylistenablefuture
, Gradle will now report that those libraries contain duplicates of Guava classes. When this happens, you'll need to tell Gradle to select Guava:If that doesn't work, please let us know. And let us know whether our
replacedBy
workaround or these other workarounds work instead.Omitting annotations at runtime
One dependency of Guava that is not needed at runtime (
j2objc-annotations
) is now omitted from the runtime classpath. (We may omit others in the future. See #6606.)Other changes
collect
: Tweaked more nullness annotations. (501a016
,5c23590
)hash
: Enhancedcrc32c()
to use Java's hardware-accelerated implementation where available. (65c7f10
)util.concurrent
: AddedDuration
-baseddefault
methods toListeningExecutorService
. (e7714b0
)c9efc47
,01dcc2e
)e42d4e8
,de62703
)BootstrapMethodError
when usingCacheBuilder
from a custom system class loader. (As with the previous item, we're not sure how well we'll be able to keep this use case working.) (a667c38
)unusable-by-js
warning seen by users ofguava-gwt
.v32.0.1
: 32.0.1Compare Source
Maven
Jar files
Guava requires one runtime dependency, which you can download here:
Javadoc
JDiff
Changelog
io
: FixedFiles.createTempDir
andFileBackedOutputStream
under Windows, which broke as part of the security fix in release 32.0.0. Sorry for the trouble. (fdbf77d
)v32.0.0
: 32.0.0Compare Source
Maven
Jar files
Guava requires one runtime dependency, which you can download here:
Javadoc
JDiff
Changelog
Security fixes
Files.createTempDir
andFileBackedOutputStream
to further address CVE-2020-8908 (#4011) and CVE-2023-2976 (#2575). (feb83a1
)While CVE-2020-8908 was officially closed when we deprecated
Files.createTempDir
in Guava 30.0, we've heard from users that even recent versions of Guava have been listed as vulnerable in other databases of security vulnerabilities. In response, we've reimplemented the method (and the very rarely usedFileBackedOutputStream
class, which had a similar issue) to eliminate the insecure behavior entirely. This change could technically affect users in a number of different ways (discussed under "Incompatible changes" below), but in practice, the only problem users are likely to encounter is with Windows. If you are using those APIs under Windows, you should skip 32.0.0 and go straight to 32.0.1 which fixes the problem. (Unfortunately, we didn't think of the Windows problem until after the release. And while we warn thatcommon.io
in particular may not work under Windows, we didn't intend to regress support.) Sorry for the trouble.Incompatible changes
Although this release bumps Guava's major version number, it makes no binary-incompatible changes to the
guava
artifact.One change could cause issues for Widows users, and a few other changes could cause issues for users in more usual situations:
Files.createTempDir
andFileBackedOutputStream
throw an exception under Windows. This is fixed in 32.0.1. Sorry for the trouble.guava-gwt
now requires GWT 2.10.0.@Beta
API in the separate artifactguava-testlib
. Specifically, we changed the return type ofTestingExecutors.sameThreadScheduledExecutor
toListeningScheduledExecutorService
. The old return type was a package-private class, which caused the Kotlin compiler to produce warnings. (dafaa3e
)Invokable.getAnnotatedReturnType()
andParameter.getAnnotatedType()
. Those methods do not work under an Android VM; we added them only to help our tests of the Android flavor (since we also run those tests under a JRE). Android VMs tolerate such methods as long as the app does not call them or perform reflection on them, and builds tolerate them because of our new Proguard configurations (discussed below). Thus, we expect no impact to most users. However, we could imagine build problems for users who have set up their own build system for the Android flavor of Guava. Please report any problems so that we can judge how safely we might be able to add other methods to the Android flavor in the future, such as APIs that use Java 8 classes likeStream
. (b30e73c
)guava-gwt
. This affects only users of GWT. The APIs we removed areEnums
,Sets.complementOf
, and theEnum*BiMap
classes'keyType()
andvalueType()
methods. These changes prepare for the removal of reflective enum-related APIs from J2CL. If one of these changes causes you problems as a GWT user, let us know. (c3a155d
,09db2c2
,3de12be
)Files.createTempDir
andFileBackedOutputStream
are annotated as@J2ObjCIncompatible
. If you need to use them under J2ObjC, contact us. (56dc928
)Files.createTempDir
restricts permissions to the current user, it could break any caller that relies on letting other users access the directory.Files.createTempDir
andFileBackedOutputStream
throw an exception if they can't create the directory or file securely. Aside from the accidental Windows bug discussed above, this is possible only under Android Ice Cream Sandwich, a very old version of Android that is the oldest one we test Guava with.Other changes
@Beta
from almost all APIs. For details, see the bottom of the release notes. At this point, it's probably simpler to look at a list of APIs that still are@Beta
, such as this list forguava-jre
. Most of the remaining@Beta
APIs are ingraph
andhash
.aeba1e1
)59d174c
)readObject
methods, in accordance with best practice. (e62d6a0
)collect
: FixedMaps.newHashMapWithExpectedSize
to stop allocating maps that were larger than they needed to be. (6ad621e
)collect
: Made various APIs work J2CL:Maps.immutableEnumMap
+toImmutableEnumMap
,EnumMultiset
,CollectorTester
. Previously, the APIs were present but failed at runtime. (b62c88e
,23ff918
,852a7d3
)collect
: Optimized memory usage forInterner
andMapMaker
. (a2e8f3c
)graph
: Changed directed graphs to reject attempts to add undirected edges. (76260d9
)io
: AddedBaseEncoding.ignoreCase()
to support case-insensitive decoding. (9c1e5de
)net
: AddedHttpHeaders
constants:No-Vary-Search
(688b9c2
)Sec-CH-DPR
(75a3d4d
)Sec-CH-UA-Wow64
(49e6b9c
)Sec-CH-Viewport-Width
andSec-CH-Viewport-Height
(44df85a
)Supports-Loading-Mode
(0d5c16f
)net
: Added theMediaType
constant for JWT. (f942fd2
)primitives
: Addedrotate()
for arrays of all primitive types. (cd338fa
,6e9057d
)util.concurrent
: ChangedAbstractFuture
to runinterruptTask()
just beforeafterDone()
. Until this change, it ran slightly earlier than that: We used to run it before unblocking any pendingget()
calls, and now we run it after. (b337be6
)util.concurrent
: Fixed some cases in which we could catchInterruptedException
but fail to restore the interrupt bit. (8f0350a
)@Beta
removal listbase
:Utf8
(211907c
)base
: more APIs (b0cc461
)collect
:Multimaps.asMap(...)
(df0081f
)collect
:FluentIterable
APIs (73b2f7b
)collect
:Forwarding[Foo]
APIs (9760dbc
)collect
:ImmutableFoo.Builder.builderWithExpectedSize(...)
,orderEntriesByValue(...)
, andEntry
-related APIs (61be35c
)collect
:RangeMap
,RangeSet
, and friends (fe12c81
)collect
: more APIs (98820c7
,e5e0f66
)io
:ByteStreams
(4897930
)io
: more APIs (a589256
)math
: various APIs (912815e
)primitives
:Longs.tryParse(...)
and friends (b3d4856
)primitives
:UnsignedLongs
(b240e8c
)primitives
: more APIs (fcec25f
,ab4302a
)reflect
:Invokable
and some methods inTypeToken
(a195f7d
)reflect
:Parameter
(exceptgetAnnotatedType()
inguava-android
) (b561eb1
)testing
: various APIs (b331769
,74ad9b8
)util.concurrent
:FluentFuture
(b9a2d58
)util.concurrent
:Futures
(15a0c9f
)util.concurrent
:Striped
(ba8ad69
)util.concurrent
: variousMoreExecutors
APIs (a3571b4
)util.concurrent
: more APIs (bbaf76a
)Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.