Old guava version has security issues

Question

Old guava version has security issues

JWvanV opened this issue a year ago · 4 comments

Hi,

the bug is more of a concern: It appears that the current version of com.squareup.moshi:moshi-kotlin-codegen:1.15.0 has a dependency on com.google.guava:guava:30.1.1-jre, which has a know security issue:
https://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-52274/Google-Guava.html

Could you update it to version 32.x ?

Answer 1 · 2023-08-01T16:44:00.000Z

Send a PR?

Answer 2 · 2023-08-01T17:22:47.000Z

Seems we've actually been on 32.x for awhile. Just updated another patch here: #1713

Answer 3 · 2024-03-25T10:18:11.000Z

@ZacSweers strange but moshi-kotlin-codegen seems to still have guava 30.1.1 in it :/ Mend still generates issue report and you can also see it here mvnrepository

Answer 4 · 2024-03-25T14:04:13.000Z

We don't use the problematic APIs