Hello there. I use this library and noticed that it was pulling in a number of out of date dependencies, some of which have known vulnerabilities (e.g., https://nvd.nist.gov/vuln/detail/CVE-2020-8908 for guava). As part of updating them I did the following:
Moved from the deprecated maven plugin to maven-publish
Removed the android logic in the gradle-mvn-push as it seemed like it wasn't actually being triggered
Updated the gradle wrapper to 7.2.0
Updated shadow to 7.0.0 and updated dependencies between auto-value-gson-extension and auto-value-gson-runtime to get it to properly work on clean builds
Updated all dependencies to the latest versions I could find when possible
Let me know if any of these changes should be walked back or if you want some of this split into separate PRs.
Hello there. I use this library and noticed that it was pulling in a number of out of date dependencies, some of which have known vulnerabilities (e.g., https://nvd.nist.gov/vuln/detail/CVE-2020-8908 for guava). As part of updating them I did the following:
maven
plugin tomaven-publish
gradle-mvn-push
as it seemed like it wasn't actually being triggeredauto-value-gson-extension
andauto-value-gson-runtime
to get it to properly work on clean buildsLet me know if any of these changes should be walked back or if you want some of this split into separate PRs.