typescriptpoet icon indicating copy to clipboard operation
typescriptpoet copied to clipboard
verified publisher icon outfoxx

Remove Guava or upgrade Guava version to one without vulnerabilities

Open tinacious opened this issue 5 months ago • 0 comments

The version of Guava in the project is 22. Is it being used?

This version is affected by several CVEs:

  • https://www.cvedetails.com/cve/CVE-2018-10237/
  • https://www.cvedetails.com/cve/CVE-2020-8908/
  • https://www.cvedetails.com/cve/CVE-2023-2976/

Summary: https://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-52274/Google-Guava.html

This is causing failures in security tooling for this library.

It looks like Guava was possibly added with the initial project generation and is possibly not being used. I don't see any imports referencing this library.

tinacious avatar Jul 17 '25 15:07 tinacious