search

openrewrite / rewrite-python

OpenRewrite recipes for Python.
Apache License 2.0
17 stars 5 forks source link

Adopt guava-jre v32.1.2 #63

Closed timtebeek closed 1 year ago

timtebeek commented 1 year ago

What's changed?

Update Guava to https://github.com/google/guava/releases/tag/v32.1.2

What's your motivation?

https://nvd.nist.gov/vuln/detail/CVE-2023-2976 was reported and suppressed downstream in https://github.com/openrewrite/rewrite-maven-plugin/commit/1600c1414fda030e49a6394d93f65403d3b8eff6.

Anything in particular you'd like reviewers to focus on?

The release notes seem to indicate the earlier issue has been solved:

https://github.com/google/guava/issues/6642#issuecomment-1656201382 the section of our Gradle metadata that caused Gradle to report conflicts with listenablefuture. (https://github.com/google/guava/commit/9ed0fa65ab0ecdf2f10d506e7dffeb3595953777)

Would you agree with that assessment?

Any additional context

A previous attempt to upgrade as reverted in https://github.com/openrewrite/rewrite-python/commit/f487df7dabb8588ae2edb17e31ff7b8ba3ffc133

timtebeek commented 1 year ago

I have:

  1. published rewrite-python to maven local
  2. published the gradle plugin to maven local
  3. added an init.gradle to spring-petclinic, to run org.openrewrite.java.OrderImports
  4. ran ./gradlew --init-script init.gradle rewriteRun on the spring-petclinic
  5. verified that resulted in BUILD SUCCESSFUL in 13s