20.0 is a common version used by many of our dependencies, using 20.0 is least likely to cause classpath issues. Note that with Guava 22.0+, they have said they won't introduce backwards incompatible changes anymore so getting past 22.0 would mean we could just rely on using the latest at all times.
I'm not sure the cost of upgrading our dependencies to be compatible with 22.0+ though. On Mon, Oct 15, 2018 at 11:11 AM Andrew Pilloud <[email protected]> wrote: > We vendor a known vulnerable version of Guava. The specific vulnerability > is low to no impact on Beam but it does potentially affect any server that > uses Java serialization with Beam on the classpath. Do we have a reason for > still being on Guava 20.0? > > https://github.com/google/guava/wiki/CVE-2018-10237 > > Andrew >
