mernst
commented
1 month ago Thank you for pointing out this issue. I appreciate it.
One reason for the shading is explained at the very end of https://checkerframework.org/manual/#common-problems-running . Without shading, Error Prone and Nullaway break the Checker Framework, and other tools might too, and this applies to libraries as well.
I will upgrade the version of Guava that the Checker Framework uses, so that will be in the next release, which is planned for May 1 or earlier.
I tried to look around for how this is done exactly but couldn't find the exact source location. The resulting checker.jar has shaded guava from known vulnerable version. Is there a hard requirement that is shaded and if so, can it be upgraded to latest release?