[jira] [Closed] (MINDEXER-126) Remove guava dependency from indexer-core

Sylwester Lachiewicz (Jira) Mon, 05 Apr 2021 07:53:04 -0700


     [ 
https://issues.apache.org/jira/browse/MINDEXER-126?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Sylwester Lachiewicz closed MINDEXER-126.
-----------------------------------------
    Resolution: Fixed

> Remove guava dependency from indexer-core
> -----------------------------------------
>
>                 Key: MINDEXER-126
>                 URL: https://issues.apache.org/jira/browse/MINDEXER-126
>             Project: Maven Indexer
>          Issue Type: Dependency upgrade
>            Reporter: Sylwester Lachiewicz
>            Assignee: Sylwester Lachiewicz
>            Priority: Major
>             Fix For: 6.0.1
>
>
> It suffers from multiple CVEs:
>  * guava < 24.1.1 is vulnerable to 
> [CVE-2018-10237|https://github.com/advisories/GHSA-mvr2-9pj6-7w5j].
>  * guava < 30.0 is vulnerable to 
> [CVE-2020-8908|https://github.com/google/guava/issues/4011].
> Moving to guava 30.1 will require moving to Java 8 so it's actually simpler 
> to just remove the dependency altogether.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Closed] (MINDEXER-126) Remove guava dependency from indexer-core

Reply via email to