maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hudson (Jira)" <j...@apache.org>
Subject [jira] [Commented] (MINDEXER-126) Remove guava dependency from indexer-core
Date Mon, 05 Apr 2021 10:29:00 GMT

    [ https://issues.apache.org/jira/browse/MINDEXER-126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17314769#comment-17314769
] 

Hudson commented on MINDEXER-126:
---------------------------------

Build unstable in Jenkins: Maven » Maven TLP » maven-indexer » master #36

See https://ci-builds.apache.org/job/Maven/job/maven-box/job/maven-indexer/job/master/36/

> Remove guava dependency from indexer-core
> -----------------------------------------
>
>                 Key: MINDEXER-126
>                 URL: https://issues.apache.org/jira/browse/MINDEXER-126
>             Project: Maven Indexer
>          Issue Type: Dependency upgrade
>            Reporter: Sylwester Lachiewicz
>            Assignee: Sylwester Lachiewicz
>            Priority: Major
>             Fix For: 6.0.1
>
>
> It suffers from multiple CVEs:
>  * guava < 24.1.1 is vulnerable to [CVE-2018-10237|https://github.com/advisories/GHSA-mvr2-9pj6-7w5j].
>  * guava < 30.0 is vulnerable to [CVE-2020-8908|https://github.com/google/guava/issues/4011].
> Moving to guava 30.1 will require moving to Java 8 so it's actually simpler to just remove
the dependency altogether.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message