Update Guava to 32.1.2-jre
Description
Environment
Activity
Ian YoungAugust 15, 2023 at 9:33 AM
Added key for error-prone and bumped the Guava version in the parent project as commit b9589f0dce9b94f5244aa4d74f670c84311d9e11.
Ian YoungAugust 15, 2023 at 9:14 AM
error-prone key confirmed in https://github.com/google/error-prone/blob/master/KEYS.txt
Ian YoungAugust 11, 2023 at 1:57 PM
Sent mail directly to Liam Miller-Cushon’s @google.com address. He has been active in the project recently, so maybe there is some chance of a response that way.
Ian YoungAugust 11, 2023 at 1:49 PM
There’s some talk about this here:
https://github.com/google/guava/wiki/UseGuavaInYourBuild#what-about-guavas-own-dependencies
The bottom line seems to be that Maven is weird and things break in weird ways if you try to exclude these dependencies. So although that seems to work, I’m going to row back a bit and try again to validate the key.
Ian YoungAugust 11, 2023 at 1:31 PM
I tried adding error_prone_annotations as an exclusion from the artifact reference to guava in the parent project.
That seemed to work, in the sense that everything compiled and the enforcer didn’t complain about the new version.
Oddly, though, the local .m2 repo did re-acquire a copy of an older version (2.11.0) of the artifact so I’m not sure this would be sufficient long term. I guess it’s being referenced by some other dependency (there are 75000 dependents for 2.11.0 so it’s not something that I can enumerate).
There’s a new version of Guava out, with some fairly anodyne changes that probably don’t affect us, plus one CVE fixed.
We should update to this. I would normally not bother with an issue for something like this, but it looks like there are dependency changes which require key due diligence and updates.