Skip to content

fix(deps): update dependency com.google.guava:guava to v32 [security]#2939

Merged
bjagg merged 1 commit into
masterfrom
renovate/major-guavaversion
Apr 27, 2026
Merged

fix(deps): update dependency com.google.guava:guava to v32 [security]#2939
bjagg merged 1 commit into
masterfrom
renovate/major-guavaversion

Conversation

@renovate

@renovate renovate Bot commented Apr 15, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
com.google.guava:guava 31.1-jre32.0.0-android age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Guava vulnerable to insecure use of temporary directory

CVE-2023-2976 / GHSA-7g45-4rm6-3mm3

More information

Details

Use of Java's default temporary directory for file creation in FileBackedOutputStream in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.

Even though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.

Severity

  • CVSS Score: 5.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Information Disclosure in Guava

CVE-2020-8908 / GHSA-5mg8-w23w-74h3

More information

Details

A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir(). The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. Maintainers recommend explicitly changing the permissions after the creation of the directory, or removing uses of the vulnerable method.

Severity

  • CVSS Score: 3.3 / 10 (Low)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@bjagg bjagg mentioned this pull request Apr 27, 2026
Merged
3 tasks
bjagg added a commit that referenced this pull request Apr 27, 2026
@bjagg
chore: pin Spring/Hibernate majors in renovate config (#2948)
f81e756 
Problem: Renovate keeps opening major-bump PRs (Spring 5/6, Spring
Security 5+, Hibernate 5+) because the Maven Central versions newer
than what we pin in gradle.properties show up as available, and
[security] flags in those PRs amplify the noise. Each major is a
coordinated migration we are not ready for, and we close them by hand
every cycle. Recent examples: #2937, #2940, #2941, #2942.

Goal: encode the migration constraints in renovate.json so Renovate
stops offering majors that won't be merged. Stays consistent with the
same pinning pattern applied across the portlet repos in the recent
sweep (AnnouncementsPortlet, basiclti-portlet, FeedbackPortlet,
NotificationPortlet, etc.).

Changes:
- renovate.json: add three packageRules entries with allowedVersions
  - org.springframework:* / .data:* / .webflow:* → < 5.0
    (Spring 5+ requires a coordinated API migration; Spring 6+ adds
     Jakarta EE + Java 17 on top.)
  - org.springframework.security:* / .oauth:* → < 5.0
    (Bound to the Spring Framework 4.3.x line; moves in lockstep.)
  - org.hibernate:* / org.hibernate.orm:* → < 5.0
    (Hibernate 5+ has API + EntityManager changes; 6+ renames the
     groupId and needs Jakarta EE + Java 17.)

Notes: did not pin Spring LDAP (2.x is current line, 2.4.4 bump in
#2938 is a minor), Springfox (2.10.0 bump in #2935 is also a minor),
or Guava (#2939 to v32 is plausible — resource-server already runs
guava 32). These can flow through normally.

Closes #2937, #2940 (duplicates).
Closes #2941, #2942 (won't migrate this release).

Refs #2938, #2935, #2939 (allowed to proceed normally).
@renovate renovate Bot changed the title fix(deps): update dependency com.google.guava:guava to v32 [security] fix(deps): update dependency com.google.guava:guava to v32 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot deleted the renovate/major-guavaversion branch April 27, 2026 18:24
@bjagg

bjagg commented Apr 27, 2026

Copy link
Copy Markdown
Member

@renovatebot rebase

Triggering a rebase + fresh CI run. The previous CI failure on Apr 15 was an ErrorProne CheckReturnValue violation in LimitingTeeWriter.java and LimitingTeeOutputStream.java. Both files were rewritten on master since (#2943 and #2945), so the failure should be moot now. If green, this goes into v5.17.3.

@renovate renovate Bot changed the title fix(deps): update dependency com.google.guava:guava to v32 [security] - autoclosed fix(deps): update dependency com.google.guava:guava to v32 [security] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/major-guavaversion branch 2 times, most recently from 9b31e9b to b8df3cc Compare April 27, 2026 20:27
@bjagg bjagg merged commit ba1702a into master Apr 27, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bjagg