[
https://issues.apache.org/jira/browse/OAK-7182?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17246733#comment-17246733
]
Cris Rockwell commented on OAK-7182:
------------------------------------
Was looking to update some deps in my oak-based app, and Guava 15 in
particular. Based on my reading of this comment thread, seems there is
consideration for breaking downstream apps which may have taken advantage of
the Guava API's leaked by Oak. Updating Oak to use a later version of Guava
could possibly break downstream apps, which used old Guava parts that have
changed or been removed. The alternatives of removing Guava API or shading
Guava for internal use, would be akin to putting the Guava 'back in the
bottle,' and having a bigger potential for breaking apps as opposed to just
updating Oak to use a later version of Guava. Could be mistaken about that or
oversimplifying.
My concern relates to Guava 15 which has the vulnerability below, so would like
to see a version > 24.1.1
https://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-52274/version_id-272463/Google-Guava-15.0.html
> Make it possible to update Guava
> --------------------------------
>
> Key: OAK-7182
> URL: https://issues.apache.org/jira/browse/OAK-7182
> Project: Jackrabbit Oak
> Issue Type: Wish
> Reporter: Julian Reschke
> Priority: Minor
> Attachments: GuavaTests.java, OAK-7182-guava-21-3.diff,
> OAK-7182-guava-21-4.diff, OAK-7182-guava-21.diff, OAK-7182-guava-23.6.1.diff,
> guava.diff
>
>
> We currently rely on Guava 15, and this affects all users of Oak because they
> essentially need to use the same version.
> This is an overall issue to investigate what would need to be done in Oak in
> order to make updates possible.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
