Update to Guava 32.0.1+

[cdietrich]

No description provided.

[cdietrich]

Blocked by no new guice version

[cdietrich]

Meanwhile Guava 32 is released.
unclear if there will be new guice using it

[cherylking]

I just received a CVE alert (CVE-2023-2976) related to the use of guava-30.1-jre in this artifact and the recommendation is to move to guava-32.0.1-jre. Should I open a new issue for this? Looks like there has not been much progress on this current issue for upgrading to 31.1.

[cdietrich]

there is already

#2101

this needs to be done together with

#2056

so far i got ZERO feedback or testing feedback on that one.
nor did i get any help or contributions ...

[cdietrich]

@merks @HannesWell you looked into new guice and guava from maven-orbit pov
what is the state of the investigations with the transitive guava dependencies there?

[cdietrich]

@cherylking btw you use lsp4j. current lsp4j versions no longer have a guava dependency

[merks]

There is https://repo1.maven.org/maven2/com/google/guava/guava/32.0.1-jre/ and it’s available in https://download.eclipse.org/oomph/simrel-maven/2023-09/index.html along with any of its dependencies.

[cdietrich]

I am asking for the p2 side of things.
I assume guice uses guava 31

[cdietrich]

it has

Import-Package: com.google.common.base;version="31.0",com.google.commo
n.cache;version="31.0",com.google.common.collect;version="31.0",com.g
oogle.common.primitives;version="31.0",com.google.errorprone.annotati
ons;resolution:=optional,jakarta.inject;version="2.0",org.aopalliance
.intercept,sun.misc

so i assume it works (did not test with tycho)
so adding guice 7 might do the trick.

but i also assume we then need to go the screw you backwards compatibility route cause of javax/jakarta.inject
dependency

@szarnekow @LorenzoBettini any opinions?

[cherylking]

@cherylking btw you use lsp4j. current lsp4j versions no longer have a guava dependency

Ooh...good to know. Which version do I need to update to in order to not have the guava dependency? Is it 0.21.0 with PR 529?

[cdietrich]

yes 0.21.0 is fine for lsp4j

[cdietrich]

more experiments with that on https://github.com/eclipse/xtext/compare/cd_testg32guice7

[HannesWell]

I am asking for the p2 side of things. I assume guice uses guava 31

Yes it does as you already ask in their GH issues and they said that they don't plan to upgrade since one can use newer versions by corresponding build-tool configuration (google/guice#1642 (comment)).

But luckily Guice only has a lower bound specified for the guava packages, so one can use any version from 31 onwards.

so i assume it works (did not test with tycho)
so adding guice 7 might do the trick.

I assume that as well and AFAIK Guice uses Guava only internally so class-space consistency should not be an issue.
FYI Guice 6 has the same lower bound for Guava as Guice 7 (i.e. Guava 31), so you could also use Guice 6 as minimum requirement.
If possible I would make Guice 6 the lower bound for XText but would widen the version range to also allow Guice 7, then provide Guice 6 in XText's repo. But if users want to use newer versions they can just include them in their TP.

but i also assume we then need to go the screw you backwards compatibility route cause of javax/jakarta.inject
dependency

At least from a Eclipse-Platforms POV I try to support both javax.inject as well as jakarta.inject when adding support for that.
If you are interested: eclipse-platform/eclipse.platform.releng.aggregator#1056

But as said in #2668 personally I have no need for backwards compatibility as long as other SimRel projects like Xcore can follow.

[cdietrich]

@merks where can i find the target file for https://download.eclipse.org/oomph/simrel-orbit/2023-09

[merks]

I'm very busy migrating Oomph to GitHub. The new location is here:

https://github.com/eclipse-oomph/oomph.incubator/blob/master/maven/tp/Maven.target

[cdietrich]

Fixed in 2.32