[jira] [Commented] (MINDEXER-126) Remove guava dependency from indexer-core

Olivier Lamy (Jira) Thu, 12 Jun 2025 02:11:54 -0700


    [ 
https://issues.apache.org/jira/browse/MINDEXER-126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17965361#comment-17965361
 ]


Olivier Lamy commented on MINDEXER-126:
---------------------------------------

This project has moved from Jira to GitHub Issues. This issue was migrated to 
[apache/maven-indexer#482|https://github.com/apache/maven-indexer/issues/482]. 

> Remove guava dependency from indexer-core
> -----------------------------------------
>
>                 Key: MINDEXER-126
>                 URL: https://issues.apache.org/jira/browse/MINDEXER-126
>             Project: Maven Indexer (Moved to GitHub Issues)
>          Issue Type: Dependency upgrade
>            Reporter: Sylwester Lachiewicz
>            Assignee: Sylwester Lachiewicz
>            Priority: Major
>             Fix For: 6.1.0, 6.1.1
>
>
> It suffers from multiple CVEs:
>  * guava < 24.1.1 is vulnerable to 
> [CVE-2018-10237|https://github.com/advisories/GHSA-mvr2-9pj6-7w5j].
>  * guava < 30.0 is vulnerable to 
> [CVE-2020-8908|https://github.com/google/guava/issues/4011].
> Moving to guava 30.1 will require moving to Java 8 so it's actually simpler 
> to just remove the dependency altogether.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MINDEXER-126) Remove guava dependency from indexer-core

Reply via email to