-
Notifications
You must be signed in to change notification settings - Fork 819
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2023-2976 #1157
Comments
I've analyzed this issue as follows:
So there's no actually vulnerability for JGraphT. The issue would be if someone was using our adapter module, and ended up with a dependency conflict as a result of trying to use the latest version of Guava. So if someone runs into that, we'll need to provide a point release at that time. |
You are right. |
I've updated the dependencies and pushed them into main. Our snapshot build now imports the latest guava version. |
Issue
com.google.guava until 31.01 is affected by the CVE-2023-2976
Steps to reproduce (small coding example)
Expected behaviour
jgrapht guava without an vulnerable dependency
Other information
The text was updated successfully, but these errors were encountered: