Update org.checkerframework.annotatedlib:guava to Guava 33.1.0 #6531

hazendaz · 2024-04-09T21:04:26Z

I tried to look around for how this is done exactly but couldn't find the exact source location. The resulting checker.jar has shaded guava from known vulnerable version. Is there a hard requirement that is shaded and if so, can it be upgraded to latest release?

mernst · 2024-04-09T22:57:42Z

Thank you for pointing out this issue. I appreciate it.

One reason for the shading is explained at the very end of https://checkerframework.org/manual/#common-problems-running . Without shading, Error Prone and Nullaway break the Checker Framework, and other tools might too, and this applies to libraries as well.

I will upgrade the version of Guava that the Checker Framework uses, so that will be in the next release, which is planned for May 1 or earlier.

mernst changed the title ~~Shaded Guava is listed as vulnerable by dependency check plugin~~ Update org.checkerframework.annotatedlib:guava to Guava 33.1.0 Apr 9, 2024

mernst self-assigned this Apr 9, 2024

mernst linked a pull request Apr 24, 2024 that will close this issue

Use Guava version 33.1.0 #6546

Merged

mernst closed this as completed in #6546 Apr 28, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update org.checkerframework.annotatedlib:guava to Guava 33.1.0 #6531

Update org.checkerframework.annotatedlib:guava to Guava 33.1.0 #6531

hazendaz commented Apr 9, 2024

mernst commented Apr 9, 2024

Update org.checkerframework.annotatedlib:guava to Guava 33.1.0 #6531

Update org.checkerframework.annotatedlib:guava to Guava 33.1.0 #6531

Comments

hazendaz commented Apr 9, 2024

mernst commented Apr 9, 2024