Closed ghost closed 10 months ago
@devnewton Thanks for reporting this issue. Today we released version 0.3.2, which contains the newest dependencies. Please update handlebars-spring-boot-starter to version 0.3.2.
Thank you, with the 0.3.2 I still have an alert on guava. Is it safe to exclude it from dependency?
Guava 18.0 is a dependency of handlebars 4.2.0: https://repo1.maven.org/maven2/com/github/jknack/handlebars.java/4.2.0/handlebars.java-4.2.0.pom
Guava is required by default, because handlebars-spring-boot-starter uses guava cache (https://github.com/allegro/handlebars-spring-boot-starter#custom-cache-template, https://github.com/jknack/handlebars.java#the-cache-system).
So you have two options:
actually we have open issue https://github.com/allegro/handlebars-spring-boot-starter/issues/47 to update handlerbars to 4.3.x that is using guava 31.0.1
I ran Owasp dependency checker on my projet. It reports vulnerabilities from handlebars-spring-boot-starter dependencies: