Nice on the gPRC update to much newer Guava. Once that is out, would be worthwhile to bump up our usage as well.
On Mon, Oct 15, 2018 at 2:44 PM Andrew Pilloud <apill...@google.com> wrote: > gRPC 1.15 was stuck at 20.0 for Java 6 support, but supports 24.1.1+ > <https://github.com/grpc/grpc-java/issues/4176#issuecomment-371305847>. > grpc 1.16 will be out in about a week with a dependency on Guava 26.0 ( > https://github.com/grpc/grpc-java/blob/v1.16.x/build.gradle#L114). > > I stuck the change into a PR to see what would break, looks like a lot of > things are unhappy: https://github.com/apache/beam/pull/6695 > > Andrew > > On Mon, Oct 15, 2018 at 2:11 PM Lukasz Cwik <lc...@google.com> wrote: > >> For example, we vendor gRPC and it still depends on 20.0 in its latest >> version (https://mvnrepository.com/artifact/io.grpc/grpc-core/1.15.1). >> >> On Mon, Oct 15, 2018 at 2:10 PM Lukasz Cwik <lc...@google.com> wrote: >> >>> 20.0 is a common version used by many of our dependencies, using 20.0 is >>> least likely to cause classpath issues. Note that with Guava 22.0+, they >>> have said they won't introduce backwards incompatible changes anymore so >>> getting past 22.0 would mean we could just rely on using the latest at all >>> times. >>> >>> I'm not sure the cost of upgrading our dependencies to be compatible >>> with 22.0+ though. >>> >>> On Mon, Oct 15, 2018 at 11:11 AM Andrew Pilloud <apill...@google.com> >>> wrote: >>> >>>> We vendor a known vulnerable version of Guava. The specific >>>> vulnerability is low to no impact on Beam but it does potentially affect >>>> any server that uses Java serialization with Beam on the classpath. Do we >>>> have a reason for still being on Guava 20.0? >>>> >>>> https://github.com/google/guava/wiki/CVE-2018-10237 >>>> >>>> Andrew >>>> >>>
