Skip to content

chore(): pin Guava via externalDependency and unify resolution#17202

Merged
david-leifker merged 2 commits intomasterfrom
fix/guava-32-1-3-cve-2023-2976
Apr 27, 2026
Merged

chore(): pin Guava via externalDependency and unify resolution#17202
david-leifker merged 2 commits intomasterfrom
fix/guava-32-1-3-cve-2023-2976

Conversation

@david-leifker
Copy link
Copy Markdown
Collaborator

@david-leifker david-leifker commented Apr 27, 2026

No description provided.

@david-leifker
fix(deps): unify on Guava 33.6.0-jre
b504902 
- Add buildscript ext.guavaVersion; wire externalDependency.guava and
  resolutionStrategy.force for a single com.google.guava:guava (*-jre) line
- Update buildSrc and contrib validator; refresh Gradle lockfiles
- CVE-2023-2976 (insecure temp dir) is fixed in Guava 32.0+; 33.6.0 is
  the current latest 33.x on Maven Central

Made-with: Cursor
@david-leifker
build: pin Guava via externalDependency and unify resolution
066911b 
Define com.google.guava:guava:33.6.0-jre in project.ext.externalDependency, remove the separate buildscript guavaVersion, and use that map entry for resolutionStrategy.force so the forced version always matches the catalog. Point buildSrc and the demo governance validator at the same coordinate with comments; hoist datahubRoot in the contrib build for reuse.

Made-with: Cursor
@github-actions github-actions Bot added ingestion PR or Issue related to the ingestion of metadata product PR or Issue related to the DataHub UI/UX devops PR or Issue related to DataHub backend & deployment labels Apr 27, 2026
@david-leifker david-leifker changed the title deps(): pin Guava via externalDependency and unify resolution chore(): pin Guava via externalDependency and unify resolution Apr 27, 2026
@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 27, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

📢 Thoughts on this report? Let us know!

@alwaysmeticulous
Copy link
Copy Markdown

alwaysmeticulous Bot commented Apr 27, 2026
edited
Loading

🔴 Meticulous spotted visual differences in 1 of 1468 screens tested: view and approve differences detected.

Meticulous evaluated ~10 hours of user flows against your PR.

Last updated for commit 066911b build: pin Guava via externalDependency and unify resolution. This comment will update as new commits are pushed.

@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 27, 2026

Bundle Report

Bundle size has no change ✅

@maggiehays maggiehays added the needs-review Label for PRs that need review from a maintainer. label Apr 27, 2026
@david-leifker david-leifker merged commit db456c1 into master Apr 27, 2026
101 of 105 checks passed
@david-leifker david-leifker deleted the fix/guava-32-1-3-cve-2023-2976 branch April 27, 2026 14:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@devashish2203 devashish2203 devashish2203 approved these changes

Assignees

No one assigned

Labels

devops PR or Issue related to DataHub backend & deployment ingestion PR or Issue related to the ingestion of metadata needs-review Label for PRs that need review from a maintainer. product PR or Issue related to the DataHub UI/UX

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@david-leifker @devashish2203 @maggiehays