Open OODesigns opened 7 months ago
andrejgasteovski
commented
3 months ago This problem was resolved more than one year ago, when dependabot updated the Guava version to 32.0.0-jre. Currently, on master it's 33.0.0-jre, but there's still not a new Guice version.
TehBrian
commented
1 month ago Are there any plans for a small release (7.0.1 or 7.1.0) to bump insecure dependencies?
winne42
commented
1 month ago Hey @sameb , @mcculls , @cpovirk et al., I am also very interested in a "maintenance release" with CVE-free dependencies. Any change we get a 7.0.1 or 7.1.0 release soon?
andrejgasteovski
commented
1 month ago Hi,
You should be able to solve the problem by overriding the Guava version used by Guice. Exclude the Guava dependency from Guice using
winne42
commented
1 month ago @andrejgasteovski Yes, this is our current workaround. But it is still additional effort that needs to be done by all users of Guice and in my particular case in a regulated environment this measure also has a paper trail...
TehBrian
commented
1 month ago @andrejgasteovski I agree with @winne42. The cost of releasing a new version seems small to me relative to that of requiring every single project using Guice (dozens of thousands) to configure their build tool to override a dependency.
cfrank
commented
6 days ago Workaround as discussed in the thread above:
gradle/libs.versions.toml
[versions]
guava = { strictly = "33.3.1-jre" }
guice = "7.0.0"
[libraries]
guava = { module = "com.google.guava:guava", version.ref = "guava" }
guice = { module = "com.google.inject:guice", version.ref = "guice" }But agree with the general sentiment shared above that a patch version of guice would be a more user friendly way to solve this issue.
Hi Looking @ version 7 and there are two Vulnerabilities
Vulnerabilities from dependencies: CVE-2023-2976 CVE-2020-8908
Can these be addressed?
talks about "access to the machine". I always assume if that is the case you are already Vulnerable.