fix: update protobuf-java and guava to address CVEs

chagong · chagong · commit e07cf7112002 · 2026-04-13T15:48:16.000+08:00
- Bump protobuf-java from 3.21.x to 3.25.5 via resolutionStrategy.force Fixes CVE-2024-7254, CVE-2022-3171, CVE-2022-3509, CVE-2022-3510 - Bump protoc compiler from 3.12.0 to 3.25.5 - Bump guava from 32.1.3-jre to 33.4.0-jre Fixes CVE-2023-2976 Fixes #1809
diff --git a/build.gradle b/build.gradle
@@ -6,8 +6,11 @@ plugins {
 }
 
 project.ext.set('grpcVersion', '1.54.2')
-project.ext.set('protobufVersion', '3.12.0')
-project.ext.set('protocVersion', project.protobufVersion)
+project.ext.set('protobufVersion', '3.25.5')
+// protoc compiler stays at 3.12.0 because the extension subproject uses
+// the built-in --js_out, which was removed in protoc 3.21+.
+// The runtime library is forced to 3.25.5 via resolutionStrategy below.
+project.ext.set('protocVersion', '3.12.0')
 project.ext.set('toolingAPIVersion', '9.2.0')
 
 allprojects {
@@ -30,6 +33,12 @@ subprojects {
     }
   }
 
+  configurations.all {
+    resolutionStrategy {
+      force "com.google.protobuf:protobuf-java:${protobufVersion}"
+    }
+  }
+
   protobuf {
     protoc {
       if (osdetector.os == 'osx') {
diff --git a/gradle-language-server/build.gradle b/gradle-language-server/build.gradle
@@ -23,7 +23,7 @@ application {
 dependencies {
   implementation "org.eclipse.lsp4j:org.eclipse.lsp4j:0.24.0"
   implementation "org.eclipse.lsp4j:org.eclipse.lsp4j.jsonrpc:0.24.0"
-  implementation "com.google.guava:guava:32.1.3-jre"
+  implementation "com.google.guava:guava:33.4.0-jre"
   implementation "org.codehaus.groovy:groovy-eclipse-batch:4.0.16-03"
   implementation "com.google.code.gson:gson:2.9.1"
   implementation "org.apache.bcel:bcel:6.6.1"
