pekko icon indicating copy to clipboard operation
pekko copied to clipboard
verified publisher icon apache

dependabot: guava

Open raboof opened this issue 1 year ago • 0 comments

our GitHub 'security' tab claims that we depend on a version of guava that is vulnerable to GHSA-mvr2-9pj6-7w5j .

I think this is a false positive: I think this is the guava that comes in as a transitive dependency of leveldb, but this is an optional;provided dependency. This apparently ends up in the compile-internal and optional scopes.

I think we should probably exclude the compile-internal and optional scopes, and use the dependabot security report for artifacts that actually come in as transitive dependencies for our users. The chance that an advisory for an optional/provided/test/built-time dependency actually impacts our build seems to small to justify the noise it adds.

raboof avatar Nov 07 '24 13:11 raboof