[ https://issues.apache.org/jira/browse/OAK-7182?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17246733#comment-17246733 ]
Cris Rockwell commented on OAK-7182: ------------------------------------ Was looking to update some deps in my oak-based app, and Guava 15 in particular. Based on my reading of this comment thread, seems there is consideration for breaking downstream apps which may have taken advantage of the Guava API's leaked by Oak. Updating Oak to use a later version of Guava could possibly break downstream apps, which used old Guava parts that have changed or been removed. The alternatives of removing Guava API or shading Guava for internal use, would be akin to putting the Guava 'back in the bottle,' and having a bigger potential for breaking apps as opposed to just updating Oak to use a later version of Guava. Could be mistaken about that or oversimplifying. My concern relates to Guava 15 which has the vulnerability below, so would like to see a version > 24.1.1 https://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-52274/version_id-272463/Google-Guava-15.0.html > Make it possible to update Guava > -------------------------------- > > Key: OAK-7182 > URL: https://issues.apache.org/jira/browse/OAK-7182 > Project: Jackrabbit Oak > Issue Type: Wish > Reporter: Julian Reschke > Priority: Minor > Attachments: GuavaTests.java, OAK-7182-guava-21-3.diff, > OAK-7182-guava-21-4.diff, OAK-7182-guava-21.diff, OAK-7182-guava-23.6.1.diff, > guava.diff > > > We currently rely on Guava 15, and this affects all users of Oak because they > essentially need to use the same version. > This is an overall issue to investigate what would need to be done in Oak in > order to make updates possible. -- This message was sent by Atlassian Jira (v8.3.4#803005)