gRPC 1.15 was stuck at 20.0 for Java 6 support, but supports 24.1.1+ <https://github.com/grpc/grpc-java/issues/4176#issuecomment-371305847>. grpc 1.16 will be out in about a week with a dependency on Guava 26.0 ( https://github.com/grpc/grpc-java/blob/v1.16.x/build.gradle#L114).
I stuck the change into a PR to see what would break, looks like a lot of things are unhappy: https://github.com/apache/beam/pull/6695 Andrew On Mon, Oct 15, 2018 at 2:11 PM Lukasz Cwik <lc...@google.com> wrote: > For example, we vendor gRPC and it still depends on 20.0 in its latest > version (https://mvnrepository.com/artifact/io.grpc/grpc-core/1.15.1). > > On Mon, Oct 15, 2018 at 2:10 PM Lukasz Cwik <lc...@google.com> wrote: > >> 20.0 is a common version used by many of our dependencies, using 20.0 is >> least likely to cause classpath issues. Note that with Guava 22.0+, they >> have said they won't introduce backwards incompatible changes anymore so >> getting past 22.0 would mean we could just rely on using the latest at all >> times. >> >> I'm not sure the cost of upgrading our dependencies to be compatible with >> 22.0+ though. >> >> On Mon, Oct 15, 2018 at 11:11 AM Andrew Pilloud <apill...@google.com> >> wrote: >> >>> We vendor a known vulnerable version of Guava. The specific >>> vulnerability is low to no impact on Beam but it does potentially affect >>> any server that uses Java serialization with Beam on the classpath. Do we >>> have a reason for still being on Guava 20.0? >>> >>> https://github.com/google/guava/wiki/CVE-2018-10237 >>> >>> Andrew >>> >>