deps: update guava to 33.4.8-android in google-http-client and google-http-client-apache-v5

diegomarquezp · web-flow · commit 557e296c746a · 2025-07-24T16:33:57.000-04:00
This implies a drop for support of Java 7 in google-http-client, also documented in README.md
diff --git a/README.md b/README.md
@@ -17,9 +17,14 @@ content. The JSON and XML libraries are also fully pluggable, and they include s
 
 The library supports the following Java environments:
 
-- Java 7 or higher
-  - The google-http-client-jackson2 and google-http-client-appengine modules require Java 8 or
-    higher due to their dependencies.
+- Java 7 or higher. The following modules require Java 8 or
+    higher due to their dependencies:
+  - google-http-client (Java 7 is supported until version [1.47.1](https://github.com/googleapis/google-http-java-client/releases/tag/v1.47.1))
+	- Note that version [TBD-1] contains Guava version `30.1.1`, which contains a [known CVE](https://www.cvedetails.com/cve/CVE-2023-2976/).
+	In order to avoid scanners from flagging this vulnerability, please upgrade your project to Java 8 and use the latest version of `google-http-client`
+  - google-http-client-apache-v5 (Java 7 is supported until version [1.47.1](https://github.com/googleapis/google-http-java-client/releases/tag/v1.47.1))
+  - google-http-client-jackson2 (Java 7 is supported until version [1.40.0](https://github.com/googleapis/google-http-java-client/releases/tag/v1.40.0) via [Jackson](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.13#compatibility-jdk-requirements))
+  - google-http-client-appengine (Java 7 [not supported](https://cloud.google.com/appengine/docs/standard/deprecations/shut-down))
 - Android 4.4 (Kit Kat)
 - GoogleAppEngine Google App Engine
 
diff --git a/google-http-client-apache-v5/pom.xml b/google-http-client-apache-v5/pom.xml
@@ -98,6 +98,8 @@
     <dependency>
       <groupId>com.google.guava</groupId>
       <artifactId>guava</artifactId>
+	  <!-- We use the Java 8 compatible version due to https://www.cvedetails.com/cve/CVE-2023-2976/ -->
+	  <version>33.4.8-android</version>
     </dependency>
     <dependency>
       <groupId>org.apache.httpcomponents.client5</groupId>
diff --git a/google-http-client/pom.xml b/google-http-client/pom.xml
@@ -141,6 +141,8 @@
     <dependency>
       <groupId>com.google.guava</groupId>
       <artifactId>guava</artifactId>
+	  <!-- We use the Java 8 compatible version due to https://www.cvedetails.com/cve/CVE-2023-2976/ -->
+	  <version>33.4.8-android</version>
     </dependency>
     <dependency>
       <groupId>com.google.j2objc</groupId>
