Skip to content

deps: Update Guava to 32.0.0#12953

Closed
chadlwilson wants to merge 1 commit intoprotocolbuffers:mainfrom
chadlwilson:update-guava-32
Closed

deps: Update Guava to 32.0.0#12953
chadlwilson wants to merge 1 commit intoprotocolbuffers:mainfrom
chadlwilson:update-guava-32

Conversation

@chadlwilson
Copy link
Copy Markdown
Contributor

@chadlwilson chadlwilson commented Jun 1, 2023
edited
Loading

Updates Guava to 32.0.0 to include fixes for CVE-2020-8908 and CVE-2023-2976 (google/guava#2575) which affects certain builds with shaded usage, e.g ruby via jruby/java platform such as https://rubygems.org/gems/google-protobuf/versions/3.23.2-java

May need backporting to 23.x branch if sufficiently compatible.

@chadlwilson chadlwilson requested a review from a team as a code owner June 1, 2023 08:51
@chadlwilson chadlwilson requested review from shaod2 and removed request for a team June 1, 2023 08:51
@hlopko hlopko added the java label Jun 5, 2023
@fowles fowles requested review from googleberg and removed request for shaod2 June 7, 2023 17:26
@fowles fowles added the 🅰️ safe for tests Mark a commit as safe to run presubmits over label Jun 7, 2023
@copybara-service copybara-service bot closed this in cd615a8 Jun 8, 2023
@chadlwilson chadlwilson deleted the update-guava-32 branch June 8, 2023 03:44
@chadlwilson chadlwilson mentioned this pull request Jun 8, 2023
Merged
@chadlwilson
Copy link
Copy Markdown
Contributor Author

chadlwilson commented Jun 8, 2023

Thanks! Not sure if there is an automated backport review process, but created #13002 if useful (cherrypicked from the copybara main commit).

@chadlwilson chadlwilson mentioned this pull request Jun 19, 2023
Closed
copybara-service bot pushed a commit that referenced this pull request Jun 20, 2023
@chadlwilson @copybara-github
deps: Update Guava to 32.0.1 (#13099)
c95ebb7 
Follow-up from #12953 to update to `32.0.1` to fix an issue on windows:

https://github.com/google/guava/releases/tag/v32.0.1

The underlying issue likely does not affect protobuf as it does not appear to (directly) use the affected `Files.createTempDir` or `FileBackedOutputStream` code which was apparently broken on Windows in `32.0.0`.

Seems best to update anyway.

Closes #13099

COPYBARA_INTEGRATE_REVIEW=#13099 from chadlwilson:bump-guava-3201 30bd3f7
PiperOrigin-RevId: 541960623
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@googleberg googleberg googleberg approved these changes

+1 more reviewer

@fowles fowles fowles approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

🅰️ safe for tests Mark a commit as safe to run presubmits over java

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@chadlwilson @fowles @googleberg @hlopko