You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Hudson (Jira)" <ji...@apache.org> on 2021/04/05 10:29:00 UTC

[jira] [Commented] (MINDEXER-126) Remove guava dependency from indexer-core

    [ https://issues.apache.org/jira/browse/MINDEXER-126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17314769#comment-17314769 ] 

Hudson commented on MINDEXER-126:
---------------------------------

Build unstable in Jenkins: Maven » Maven TLP » maven-indexer » master #36

See https://ci-builds.apache.org/job/Maven/job/maven-box/job/maven-indexer/job/master/36/

> Remove guava dependency from indexer-core
> -----------------------------------------
>
>                 Key: MINDEXER-126
>                 URL: https://issues.apache.org/jira/browse/MINDEXER-126
>             Project: Maven Indexer
>          Issue Type: Dependency upgrade
>            Reporter: Sylwester Lachiewicz
>            Assignee: Sylwester Lachiewicz
>            Priority: Major
>             Fix For: 6.0.1
>
>
> It suffers from multiple CVEs:
>  * guava < 24.1.1 is vulnerable to [CVE-2018-10237|https://github.com/advisories/GHSA-mvr2-9pj6-7w5j].
>  * guava < 30.0 is vulnerable to [CVE-2020-8908|https://github.com/google/guava/issues/4011].
> Moving to guava 30.1 will require moving to Java 8 so it's actually simpler to just remove the dependency altogether.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)