com.google.guava:guava library version update

Question

com.google.guava:guava library version update

MaskedRedstonerProZ opened this issue 9 months ago · 2 comments

MaskedRedstonerProZ commented 9 months ago

The current version of guava contained in the project contains a vulnerability (CVE-2023-2976). As that has been fixed in a later version of guava, I believe said later version should be integrated into the Truth project. Something which I believe to be able and am willing to do as my contribution to the project.

Answer 1 · 2023-12-27T14:59:57.000Z

I believe that Truth 1.2.0 depends on Guava 33.0.0, which is not vulnerable. Can you point me to where you're seeing another version?

Answer 2 · 2023-12-28T05:58:23.000Z

Apologies sir, my IDE failed to notify me of a new update in the truth library, the vulnerable guava version is seen in truth 1.1.3, as such, I assumed it was the latest one, and didn't notice the releases. I will try to figure out what the issue is, and why my IDE didn't flag truth 1.1.3 as outdated and update it, I will also close this issue if you don't mind