Skip to content
This repository has been archived by the owner on Jun 30, 2023. It is now read-only.

Dependencies not upgraded #154

Open
akankshagaur opened this issue Jul 27, 2018 · 3 comments
Open

Dependencies not upgraded #154

akankshagaur opened this issue Jul 27, 2018 · 3 comments
Assignees
@tangiel

Comments

@akankshagaur
Copy link

Hi,

I see that Google endpoints framework releases do not contain the latest releases of its dependent libraries which have security vulnerabilities.

For. E.g Guava dependency version used is 20 while latest version is 25.1. Also, since guava is based on checker framework which is GPL, won't it affect developers?
Is there an alternative for checker framework which can be used in endpoints framework?

Thanks
@tangiel
Copy link
Contributor

tangiel commented Jul 31, 2018

The particular library which Guava depends on in the Checker Framework is MIT licensed, so that is not an issue.

@tangiel tangiel self-assigned this Aug 2, 2018
@tangiel
Copy link
Contributor

tangiel commented Aug 2, 2018

So there is an issue in that Guava 21+ requires Java 8, unless you use the -android dependency. Right now App Engine still supports Java 7 so we have to support it. But that could also mean classpath conflicts with people who use the Java 8 runtime and the -jre dependency. I'm not entirely sure what the best solution is right now.

@akankshagaur
Copy link
Author

Ok,that clarifies the issue. Thanks

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@tangiel tangiel

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@akankshagaur @tangiel