Skip to content

Update dependency com.google.guava:guava to v32 [SECURITY] #56

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update dependency com.google.guava:guava to v32 [SECURITY] #56

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Nov 10, 2023
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
com.google.guava:guava 31.1-jre32.0.0-android age confidence

GitHub Vulnerability Alerts

CVE-2020-8908

A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir(). The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. Maintainers recommend explicitly changing the permissions after the creation of the directory, or removing uses of the vulnerable method.

CVE-2023-2976

Use of Java's default temporary directory for file creation in FileBackedOutputStream in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.

Even though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from a team as a code owner November 10, 2023 05:06
@codecov
Copy link

codecov bot commented Nov 10, 2023
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 74.49%. Comparing base (f406a59) to head (82172fe).
Report is 7 commits behind head on master.

❗ Current head 82172fe differs from pull request most recent head 670570a. Consider uploading reports for the commit 670570a to get more accurate results

Additional details and impacted files 
@@             Coverage Diff              @@
##             master      #56      +/-   ##
============================================
+ Coverage     74.42%   74.49%   +0.06%     
- Complexity      587      593       +6     
============================================
  Files           149      150       +1     
  Lines          2937     2945       +8     
  Branches        140      141       +1     
============================================
+ Hits           2186     2194       +8     
+ Misses          636      635       -1     
- Partials        115      116       +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@renovate renovate bot force-pushed the renovate/maven-com.google.guava-guava-vulnerability branch from 82172fe to 670570a Compare May 1, 2024 08:45
@renovate renovate bot force-pushed the renovate/maven-com.google.guava-guava-vulnerability branch 13 times, most recently from f3496d7 to 3a8fa41 Compare August 9, 2024 13:53
@renovate renovate bot force-pushed the renovate/maven-com.google.guava-guava-vulnerability branch 3 times, most recently from 3b19d97 to 4bf9db4 Compare August 27, 2024 12:22
@renovate renovate bot force-pushed the renovate/maven-com.google.guava-guava-vulnerability branch from 4bf9db4 to 3ec253d Compare September 26, 2024 08:34
@renovate renovate bot force-pushed the renovate/maven-com.google.guava-guava-vulnerability branch 2 times, most recently from 6316c48 to f274b7f Compare October 21, 2024 12:47
@renovate renovate bot force-pushed the renovate/maven-com.google.guava-guava-vulnerability branch from f274b7f to 2bae14f Compare November 12, 2024 07:48
@renovate renovate bot force-pushed the renovate/maven-com.google.guava-guava-vulnerability branch from 2bae14f to 553569a Compare June 3, 2025 11:55
@renovate renovate bot force-pushed the renovate/maven-com.google.guava-guava-vulnerability branch 5 times, most recently from 2ea32e2 to 3031d64 Compare August 6, 2025 10:38
@renovate renovate bot force-pushed the renovate/maven-com.google.guava-guava-vulnerability branch from 3031d64 to 2c190a9 Compare August 27, 2025 09:53
@renovate renovate bot force-pushed the renovate/maven-com.google.guava-guava-vulnerability branch from 2c190a9 to 5675579 Compare August 29, 2025 06:45
@renovate renovate bot force-pushed the renovate/maven-com.google.guava-guava-vulnerability branch from 5675579 to 7c1dea6 Compare August 29, 2025 10:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant