Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Task]: Upgrade vendored guava to 32.1.2-jre #27801

Closed
1 of 15 tasks
Abacn opened this issue Aug 2, 2023 · 3 comments · Fixed by #27895
Closed
1 of 15 tasks

[Task]: Upgrade vendored guava to 32.1.2-jre #27801

Abacn opened this issue Aug 2, 2023 · 3 comments · Fixed by #27895
Assignees
@Abacn
Labels
java P2 task
Milestone
2.50.0 Release

Comments

@Abacn
Copy link
Contributor

Abacn commented Aug 2, 2023
edited
Loading

What needs to happen?

The last time we upgraded guava was back to 2019 (v20->v26) which is 4 years old now. There are also a few (temp file) vulnerabilities since then. In general these vulnerabilities are not exploitable in Beam, as these lib are only used by Beam code, we should upgrade the vendor dependency

A good candidate is the latest 32.1.2-jre, which is also included in Google Cloud Java lib LTS 5.0: GoogleCloudPlatform/cloud-opensource-java#2343

Issue Priority

Priority: 2 (default / most normal work should be filed as P2)

Issue Components

  • Component: Python SDK
  • Component: Java SDK
  • Component: Go SDK
  • Component: Typescript SDK
  • Component: IO connector
  • Component: Beam examples
  • Component: Beam playground
  • Component: Beam katas
  • Component: Website
  • Component: Spark Runner
  • Component: Flink Runner
  • Component: Samza Runner
  • Component: Twister2 Runner
  • Component: Hazelcast Jet Runner
  • Component: Google Cloud Dataflow Runner
@Abacn Abacn self-assigned this Aug 2, 2023
@Abacn
Copy link
Contributor Author

Abacn commented Aug 2, 2023

CC: @burkedavison @suztomo

@damccorm damccorm mentioned this issue Aug 2, 2023
Merged
3 tasks
@Abacn Abacn added this to the 2.51.0 Release milestone Aug 3, 2023
@Abacn
Copy link
Contributor Author

Abacn commented Aug 3, 2023

Because v2.50 cut is close, better to have time to exercise tests to capture potential issue so set a milestone of 2.51.

@Abacn
Copy link
Contributor Author

Abacn commented Aug 7, 2023

There is hope to get this in by v2.50.0, so remove the milestone of 2.51 for now

@Abacn Abacn removed this from the 2.51.0 Release milestone Aug 7, 2023
@Abacn Abacn mentioned this issue Aug 8, 2023
Merged
3 tasks
@github-actions github-actions bot added this to the 2.50.0 Release milestone Aug 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Abacn Abacn

Labels
java P2 task
Projects
None yet
Milestone
2.50.0 Release
Development

Successfully merging a pull request may close this issue.

Use vendor guava 32.1.2-jre Abacn/beam
1 participant
@Abacn