You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@groovy.apache.org by "Alexander Veit (Jira)" <ji...@apache.org> on 2020/10/26 23:41:00 UTC
[jira] [Created] (GROOVY-9795) Update or remove Guava dependency
Alexander Veit created GROOVY-9795:
--------------------------------------
Summary: Update or remove Guava dependency
Key: GROOVY-9795
URL: https://issues.apache.org/jira/browse/GROOVY-9795
Project: Groovy
Issue Type: Improvement
Affects Versions: 3.0.5
Reporter: Alexander Veit
The Groovy binary distribution comes with a quite old and insecure (e.g. CVE-2018-10237) `guava-19.0.jar`.
It should be updated or removed if it is not actually needed as a transitive dependency.
Groovy itself seems to have the only dependency to Guava in `CommandChainsTest.groovy` and `Groovy6786Bug.class`.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)