Skip to content

Bump com.google.guava:guava from 31.1-android to 33.6.0-android#48

Open
dependabot[bot] wants to merge 3 commits into
masterfrom
dependabot/gradle/com.google.guava-guava-33.6.0-android
Open

Bump com.google.guava:guava from 31.1-android to 33.6.0-android#48
dependabot[bot] wants to merge 3 commits into
masterfrom
dependabot/gradle/com.google.guava-guava-33.6.0-android

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 7, 2026

Copy link
Copy Markdown
Contributor

Bumps com.google.guava:guava from 31.1-android to 33.6.0-android.

Release notes

Sourced from com.google.guava:guava's releases.

33.6.0

Maven

<dependency>
  <groupId>com.google.guava</groupId>
  <artifactId>guava</artifactId>
  <version>33.6.0-jre</version>
  <!-- or, for Android: -->
  <version>33.6.0-android</version>
</dependency>

Jar files

Guava requires one runtime dependency, which you can download here:

Javadoc

JDiff

Changelog

  • Migrated some classes from finalize() to PhantomReference in preparation for the removal of finalization. (786b619dd6, 7c6b17c, aeef90988d)
  • cache: Deprecated CacheBuilder APIs that use TimeUnit in favor of those that use Duration. (73f8b0bb84)
  • collect: Added toImmutableSortedMap collectors that use the natural comparator. (64d70b9f94)
  • collect: Changed ConcurrentHashMultiset, ImmutableMap and TreeMultiset deserialization to avoid mutating final fields. In extremely unlikely scenarios in which an instance of that type contains an object that refers back to that instance, this could lead to a broken instance that throws NullPointerException when used. (8240c7e596, 046468055f)
  • graph: Removed @Beta from all APIs in the package. (dae9566b73)
  • graph: Added support to Graphs.transitiveClosure() for different strategies for adding self-loops. (2e13df25b2)
  • graph: Added an asNetwork() view to Graph and ValueGraph. (909c593c61)
  • hash: Added BloomFilter.serializedSize(). (df9bcc251a)
  • net: Added HttpHeaders.CDN_CACHE_CONTROL. (75331b5030)

33.5.0

Maven

<dependency>
</tr></table> 

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [com.google.guava:guava](https://github.com/google/guava) from 31.1-android to 33.6.0-android.
- [Release notes](https://github.com/google/guava/releases)
- [Commits](https://github.com/google/guava/commits)

---
updated-dependencies:
- dependency-name: com.google.guava:guava
  dependency-version: 33.6.0-android
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update java code labels Jul 7, 2026
Dependabot bumped the guava version string in build.gradle but did not
regenerate lib/gradle.lockfile, which still pinned the old dependency
graph under dependencyLocking. This left the build failing with
"Cannot find a version of 'com.google.guava:guava' that satisfies the
version constraints" since the lock strictly enforced 31.1-android.

Regenerated via `gradle :lib:dependencies --write-locks`, which also
picks up guava's downstream annotation dependency swap (jsr305 +
checker-qual -> jspecify) and minor bumps to failureaccess,
error_prone_annotations, and j2objc-annotations.

Copy link
Copy Markdown

Review: Guava 31.1-android → 33.6.0-android

Usage analysis: Guava is used in exactly one place in this codebase — EncryptionService.java calls com.google.common.primitives.Bytes.concat(...) to build the ECDH shared-secret hash input. Bytes.concat is a long-stable, non-@Beta API with no signature or behavioral changes across any release between 31.1 and 33.6.

Changelog review (all releases 31.1 → 33.6.0): No breaking changes affect this project. Notable items, none applicable here:

  • The -jre flavor raised its Java baseline to 9 in 32.0.0; we're on (and staying on) the -android flavor, which still supports Java 8 — matches this project's sourceCompatibility 1.8.
  • Guava 33.x swapped its nullness-annotation dependencies from jsr305/checker-qual to jspecify — a transitive-only change, not referenced directly in our code.
  • No CVEs in this range affecting APIs we use.

Security/suspicious concerns: None. Standard Dependabot version bump, single-line diff, no new direct dependencies.

Build verification: The build as opened did not passlib/gradle.lockfile (this repo enables Gradle dependency locking) still pinned Guava at 31.1-android and its old transitive versions, so ./gradlew :lib:compileJava failed with:

Cannot find a version of 'com.google.guava:guava' that satisfies the version constraints:
... Constraint path ... 'com.google.guava:guava:{strictly 31.1-android}' because of the following reason: Dependency version enforced by Dependency Locking

I regenerated the lockfile (gradle :lib:dependencies --write-locks) and pushed it as a follow-up commit on this branch. That picks up the expected transitive bumps (failureaccess 1.0.1→1.0.3, error_prone_annotations, j2objc-annotations, and the jsr305/checker-qualjspecify swap noted above).

After that fix, gradle :lib:build compiles cleanly and the test suite runs identically to master: 121 tests, same 15 failures on both branches (all in the EndToEndTests suite — they fail with EvervaultException during static init because live Evervault API credentials aren't available in this sandbox; unrelated to this dependency and pre-existing on master).

Verdict: safe to merge once the lockfile commit here is included — the version bump itself is low-risk given our minimal Guava surface area, but it needed the lockfile regenerated to actually build.


Generated by Claude Code

@socket-security

socket-security Bot commented Jul 7, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedmaven/​com.google.code.gson/​gson@​2.14.0 ⏵ 2.8.93610090100100
Updatedmaven/​com.google.guava/​guava@​31.1-android ⏵ 33.6.0-android36100 +390100100

View full report

@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: maven com.google.code.gson:gson is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: lib/gradle.lockfilemaven/com.google.code.gson/gson@2.8.9

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore maven/com.google.code.gson/gson@2.8.9. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file java Pull requests that update java code

Development

Successfully merging this pull request may close these issues.

3 participants