[MNG-7828] Bump guava from 30.1-jre to 32.0.1-jre#1191
Conversation
|
R: @cstamas |
|
I'm curious are there plans to bump this in 3.8.X? |
|
Maven 3.8.x release will happen if someone comes up with some blocker bug, which i doubt. And I am curious, why not moving to 3.9.x line? |
|
I'm supporting some images built for Maven for some customers, and they still need 3.8.X, but we are requested to do a vulnerability patch for this. |
|
I looked into it, but it's not very straightforward like the bump of |
Thanks for this detail! |
|
Ah it seems like Guice has done the fix upstream: google/guice@331e484 |
|
Can a committer merge this PR? Thanks! |
|
Hi Maven team, I'm curious to see if Maven still considering doing patch for 3.8.X? We have customers that need to use 3.8.X since they have multiple repos with plugins that only work in 3.8.X. |
|
not at this moment. Can You share more details (maybe links to bug reports to plugins repos?) about what issues Your projects have with Maven 3.9. This is active maintenance line of Maven. |
|
They are internal customers that I can't share their private customized plugins source code. Should we consider 3.8.X is in general out of scope for vulnerability patches? |
|
Which Maven vulnerability you talk about specifically? |
For requesting vulnerability patch in 3.8.X, I think I'm asking CVE-2023-2976. But I wanted to know if 3.8.X is generally considered being excluded from vulnerability patches? |
|
AFAIK Maven is not affected by CVE you refer to. And no, 3.8.x is not excluded from reported vulnerability patches. |
|
Please use ML https://maven.apache.org/mailing-lists.html for communication. |
|
Resolve #9091 |
Update due to CVE-2023-2976.
See https://issues.apache.org/jira/browse/MNG-7828 for more context.
--
Doing on master too, following @cstamas instructions at #1189 (comment)