Vulnerabilities referenced in version 7 #1798
Comments
|
This problem was resolved more than one year ago, when dependabot updated the Guava version to 32.0.0-jre. Currently, on master it's 33.0.0-jre, but there's still not a new Guice version. |
|
Are there any plans for a small release (7.0.1 or 7.1.0) to bump insecure dependencies? |
|
Hi, You should be able to solve the problem by overriding the Guava version used by Guice. Exclude the Guava dependency from Guice using and then add a separate Guava dependency with a version that does not have vulnerabilities. |
|
@andrejgasteovski Yes, this is our current workaround. But it is still additional effort that needs to be done by all users of Guice and in my particular case in a regulated environment this measure also has a paper trail... |
|
@andrejgasteovski I agree with @winne42. The cost of releasing a new version seems small to me relative to that of requiring every single project using Guice (dozens of thousands) to configure their build tool to override a dependency. |
|
Workaround as discussed in the thread above:
[versions]
guava = { strictly = "33.3.1-jre" }
guice = "7.0.0"
[libraries]
guava = { module = "com.google.guava:guava", version.ref = "guava" }
guice = { module = "com.google.inject:guice", version.ref = "guice" }But agree with the general sentiment shared above that a patch version of |
ref: google/guice#1798 Signed-off-by: Open592 Developer <[email protected]>
Hi
Looking @ version 7 and there are two Vulnerabilities
Vulnerabilities from dependencies:
CVE-2023-2976
CVE-2020-8908
Can these be addressed?
talks about "access to the machine". I always assume if that is the case you are already Vulnerable.
The text was updated successfully, but these errors were encountered: