This is an automated email from the ASF dual-hosted git repository.
spmallette pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tinkerpop.git
The following commit(s) were added to refs/heads/master by this push:
new 5aae2577c2 Bump guava to 33.6.0-jre
5aae2577c2 is described below
commit 5aae2577c29c7af7e295ef0860eb6eb5d4816cb8
Author: Stephen Mallette <[email protected]>
AuthorDate: Wed Jul 1 14:02:30 2026 -0400
Bump guava to 33.6.0-jre
Clears CVE-2023-2976 / CVE-2020-8908 from the shipped transitive
dependency tree. Validated with a full mvn clean install.
Assisted-by: Claude Code:claude-opus-4-8
---
pom.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/pom.xml b/pom.xml
index 8e6a0569ae..646b2ddf19 100644
--- a/pom.xml
+++ b/pom.xml
@@ -164,7 +164,7 @@ limitations under the License.
don't really use guava directly, but there are a lot of jar
conflicts around it,
so centralizing that dependency version here
-->
- <guava.version>31.0.1-jre</guava.version>
+ <guava.version>33.6.0-jre</guava.version>
<!--
don't think we need guice 7 at the moment - the only difference with
6 is that
it supports the jakarta.inject namespace which tinkerpop doesn't
fuss with