Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adopt guava-jre v32.1.2 #63

Merged
merged 1 commit into from
Aug 4, 2023
Merged

Adopt guava-jre v32.1.2 #63

merged 1 commit into from
Aug 4, 2023

Conversation

timtebeek
Copy link
Contributor

@timtebeek timtebeek commented Aug 2, 2023
edited

What's changed?

Update Guava to https://github.com/google/guava/releases/tag/v32.1.2

What's your motivation?

https://nvd.nist.gov/vuln/detail/CVE-2023-2976 was reported and suppressed downstream in openrewrite/rewrite-maven-plugin@1600c14.

Anything in particular you'd like reviewers to focus on?

The release notes seem to indicate the earlier issue has been solved:

google/guava#6642 (comment) the section of our Gradle metadata that caused Gradle to report conflicts with listenablefuture. (google/guava@9ed0fa6)

Would you agree with that assessment?

Any additional context

A previous attempt to upgrade as reverted in f487df7

@timtebeek timtebeek self-assigned this Aug 2, 2023
@timtebeek timtebeek requested review from joanvr and rpau August 2, 2023 12:46
@timtebeek timtebeek added the bug Something isn't working label Aug 2, 2023
@timtebeek timtebeek mentioned this pull request Aug 2, 2023
Merged
rpau
rpau reviewed Aug 3, 2023
View reviewed changes
build.gradle.kts
@@ -40,7 +40,7 @@ dependencies {
implementation("io.micrometer:micrometer-core:1.9.+")
runtimeOnly("org.jetbrains.kotlinx:kotlinx-coroutines-core-jvm:1.5.0")
runtimeOnly("it.unimi.dsi:fastutil:8.5.2")
runtimeOnly("com.google.guava:guava:31.1-jre")
runtimeOnly("com.google.guava:guava:32.1.2-jre")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should test if this works with the gradle plugin. We have an issue with another guava dependency that caused an incompatibility issue. If the build works, then it is fine.

rpau
rpau reviewed Aug 3, 2023
View reviewed changes
Copy link
Contributor

@rpau rpau left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just requesting to test the local build with the gradle plugin. If it works, feel free to merge it

@timtebeek
Copy link
Contributor Author

I have:

  1. published rewrite-python to maven local
  2. published the gradle plugin to maven local
  3. added an init.gradle to spring-petclinic, to run org.openrewrite.java.OrderImports
  4. ran ./gradlew --init-script init.gradle rewriteRun on the spring-petclinic
  5. verified that resulted in BUILD SUCCESSFUL in 13s

@timtebeek timtebeek merged commit 1f400c4 into main Aug 4, 2023
3 checks passed
@timtebeek timtebeek deleted the dependencies/guava-32.1.2 branch August 4, 2023 11:36
timtebeek added a commit that referenced this pull request Aug 4, 2023
@timtebeek
Revert "Adopt guava-jre v32.1.2 (#63)"
f9d1b4e 
This reverts commit 1f400c4.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rpau rpau rpau left review comments

@joanvr joanvr joanvr approved these changes

Assignees

@timtebeek timtebeek

Labels
bug Something isn't working
Projects
OpenRewrite
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@timtebeek @joanvr @rpau