Re: Vendoring vulnerable Guava (CVE-2018-10237)

Nice on the gPRC update to much newer Guava. Once that is out, would be worthwhile to bump up our usage as well. On Mon, Oct 15, 2018 at 2:44 PM Andrew Pilloud wrote: > gRPC 1.15 was stuck at 20.0 for Java 6 support, but supports 24.1.1+ >

Re: Vendoring vulnerable Guava (CVE-2018-10237)

gRPC 1.15 was stuck at 20.0 for Java 6 support, but supports 24.1.1+ . grpc 1.16 will be out in about a week with a dependency on Guava 26.0 ( https://github.com/grpc/grpc-java/blob/v1.16.x/build.gradle#L114). I stuck the

Re: Vendoring vulnerable Guava (CVE-2018-10237)

For example, we vendor gRPC and it still depends on 20.0 in its latest version (https://mvnrepository.com/artifact/io.grpc/grpc-core/1.15.1). On Mon, Oct 15, 2018 at 2:10 PM Lukasz Cwik wrote: > 20.0 is a common version used by many of our dependencies, using 20.0 is > least likely to cause

Re: Vendoring vulnerable Guava (CVE-2018-10237)

20.0 is a common version used by many of our dependencies, using 20.0 is least likely to cause classpath issues. Note that with Guava 22.0+, they have said they won't introduce backwards incompatible changes anymore so getting past 22.0 would mean we could just rely on using the latest at all