You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@groovy.apache.org by "Alexander Veit (Jira)" <ji...@apache.org> on 2020/10/26 23:41:00 UTC

[jira] [Created] (GROOVY-9795) Update or remove Guava dependency

Alexander Veit created GROOVY-9795:
--------------------------------------

             Summary: Update or remove Guava dependency
                 Key: GROOVY-9795
                 URL: https://issues.apache.org/jira/browse/GROOVY-9795
             Project: Groovy
          Issue Type: Improvement
    Affects Versions: 3.0.5
            Reporter: Alexander Veit


The Groovy binary distribution comes with a quite old and insecure (e.g. CVE-2018-10237) `guava-19.0.jar`.

It should be updated or removed if it is not actually needed as a transitive dependency.

Groovy itself seems to have the only dependency to Guava in `CommandChainsTest.groovy` and `Groovy6786Bug.class`.




--
This message was sent by Atlassian Jira
(v8.3.4#803005)