Remove guava library which is reported as potential security issue. D… #7163
Conversation
…ependency is apparently very old and not necessary any longer. Code compiles cleanly when the dependency is removed from the project
|
Need to take another look at this. Removing the dependency from the pom causes a later version of the library to be pulled in, but it still has the reported memory problem. |
|
One source of the dependency is the use of org.everit.json.schema.* in edu.harvard.iq.dataverse.provenance.ProvInvestigator |
|
FWIW: I think the google cloud library I've used in #7140 uses guava and if I recall correctly, it needs a newer version ((v>20) than the one in Glassfish (in the /modules subdir). I'm not sure if payara also uses guava as glassfish did, but that's something to check. |
The functionality is validating JSON files against a JSON Schema. I don't know if Java/Jakarta EE does that or not. Good question. A quick search isn't promising:
|
|
FWIW @pdurbin JSON Schema is about to become an IETF standard some day. See https://json-schema.org/ |
|
btw, it turned out that there were 5 libraries we use that are dependent on guava. Instead of removing it, there is now a pull request that upgrades the guava version to 29.0-jre |
…ependency is apparently very old and not necessary any longer. Code compiles cleanly when the dependency is removed from the project
What this PR does / why we need it:
Which issue(s) this PR closes:
Closes #
Special notes for your reviewer:
Suggestions on how to test this:
Does this PR introduce a user interface change? If mockups are available, please link/include them here:
Is there a release notes update needed for this change?:
Additional documentation: