google/guava v32.0.0

32.0.0

on GitHub

Maven

<dependency>
  <groupId>com.google.guava</groupId>
  <artifactId>guava</artifactId>
  <version>32.0.0-jre</version>
  <!-- or, for Android: -->
  <version>32.0.0-android</version>
</dependency>

Jar files

• 32.0.0-jre.jar
• 32.0.0-android.jar

Guava requires one runtime dependency, which you can download here:

• failureaccess-1.0.1.jar

Javadoc

• 32.0.0-jre
• 32.0.0-android

JDiff

• 32.0.0-jre vs. 31.1-jre
• 32.0.0-android vs. 31.1-android
• 32.0.0-android vs. 32.0.0-jre

Changelog

Security fixes

• Reimplemented Files.createTempDir and FileBackedOutputStream to further address CVE-2020-8908 and Guava issue #2575 (CVE-2023-2976, forthcoming). (feb83a1)

While CVE-2020-8908 was officially closed when we deprecated Files.createTempDir in Guava 30.0, we've heard from users that even recent versions of Guava have been listed as vulnerable in other databases of security vulnerabilities. In response, we've reimplemented the method (and the very rarely used FileBackedOutputStream class, which had a similar issue) to eliminate the insecure behavior entirely. This change could technically affect users in a number of different ways (discussed under "Incompatible changes" below), but in practice, we expect no problems for anyone except Windows users. (Unfortunately, we didn't think of the Windows problem until after the release. And while we warn that common.io in particular may not work under Windows, we didn't intend to potentially regress support.)

Incompatible changes

Although this release bumps Guava's major version number, it makes no binary-incompatible changes to the guava artifact.

A few changes could cause isses for users in relatively rare situations:

• This release makes a binary-incompatible change to a @Beta API in the separate artifact guava-testlib. Specifically, we changed the return type of TestingExecutors.sameThreadScheduledExecutor to ListeningScheduledExecutorService. The old return type was a package-private class, which caused the Kotlin compiler to produce warnings. (dafaa3e)
• This release adds two methods to the Android flavor of Guava: Invokable.getAnnotatedReturnType() and Parameter.getAnnotatedType(). Those methods do not work under an Android VM; we added them only to help our tests of the Android flavor (since we also run those tests under a JRE). Android VMs tolerate such methods as long as the app does not call them or perform reflection on them, and builds tolerate them because of our new Proguard configurations (discussed below). Thus, we expect no impact to most users. However, we could imagine build problems for users who have set up their own build system for the Android flavor of Guava. Please report any problems so that we can judge how safely we might be able to add other methods to the Android flavor in the future, such as APIs that use Java 8 classes like Stream. (b30e73c)
• This release removes various APIs from the guava-gwt. This affects only users of GWT. The APIs we removed are Enums, Sets.complementOf, and the Enum*BiMap classes' keyType() and valueType() methods. These changes prepare for the removal of reflective enum-related APIs from J2CL. If one of these changes causes you problems as a GWT user, let us know. (c3a155d, 09db2c2, 3de12be)
• The new implementations of Files.createTempDir and FileBackedOutputStream throw an exception under Windows. We suspect that we could make the implementations work under Windows, but we'd likely need help to implement and test Windows support, including making the case that the resulting behavior is secure.
• The new implementations of Files.createTempDir and FileBackedOutputStream are annotated as @J2ObjCIncompatible. If you need to use them under J2ObjC, contact us. (56dc928)
• Because the new version of Files.createTempDir restricts permissions to the current user, it could break any user that relies on letting other users access the directory.
• The new versions of Files.createTempDir and FileBackedOutputStream throw an exception if they can't create the directory or file securely. This is possible only under Android Ice Cream Sandwich, a very old version of Android that is the oldest one we test Guava with.

Other changes

• Removed @Beta from almost all APIs. For details, see the bottom of the release notes. At this point, it's probably simpler to look at a list of APIs that still are @Beta, such as this list for guava-jre. Most of the remaining @Beta APIs are in graph and hash.
• Enhanced the Guava jar to include Proguard configurations that are picked up automatically by the Android Gradle Plugin. This should help with warnings that were promoted to errors in Android Gradle Plugin 8.x. (aeba1e1)
• Enhanced the Guava jar to include information about method parameters in its class files. If you use static analyzers that look at method-parameter names, you may see new warnings or errors if they are now able to detect mismatches. But mostly, you may see better tooltips and autocompletion in IDEs. (59d174c)
• Improved nullness annotations on a few classes.
• Modified classes with "serial proxies" to declare exception-throwing readObject methods, in accordance with best practice. (e62d6a0)
• collect: Fixed Maps.newHashMapWithExpectedSize to stop allocating maps that were larger than they needed to be. (6ad621e)
• collect: Made various APIs work J2CL: Maps.immutableEnumMap+toImmutableEnumMap, EnumMultiset, CollectorTester. Previously, the APIs were present but failed at runtime. (b62c88e, 23ff918, 852a7d3)
• collect: Optimized memory usage for Interner and MapMaker. (a2e8f3c)
• graph: Changed directed graphs to reject attempts to add undirected edges. (76260d9)
• io: Added BaseEncoding.ignoreCase() to support case-insensitive decoding. (9c1e5de)
• net: Added HttpHeaders constants:
  • No-Vary-Search (688b9c2)
  • Sec-CH-DPR (75a3d4d)
  • Sec-CH-UA-Wow64 (49e6b9c)
  • Sec-CH-Viewport-Width and Sec-CH-Viewport-Height (44df85a)
  • Supports-Loading-Mode (0d5c16f)
• net: Added the MediaType constant for JWT. (f942fd2)
• primitives: Added rotate() for arrays of all primitive types. (cd338fa, 6e9057d)
• util.concurrent: Changed AbstractFuture to run interruptTask() just before afterDone(). Until this change, it ran slightly earlier than that: We used to run it before unblocking any pending get() calls, and now we run it after. (b337be6)
• util.concurrent: Fixed some cases in which we could catch InterruptedException but fail to restore the interrupt bit. (8f0350a)

@Beta removal list

• base: Utf8 (211907c)
• base: more APIs (b0cc461)
• collect: Multimaps.asMap(...) (df0081f)
• collect: FluentIterable APIs (73b2f7b)
• collect: Forwarding[Foo] APIs (9760dbc)
• collect: ImmutableFoo.Builder.builderWithExpectedSize(...), orderEntriesByValue(...), and Entry-related APIs (61be35c)
• collect: RangeMap, RangeSet, and friends (fe12c81)
• collect: more APIs (98820c7, e5e0f66)
• io: ByteStreams (4897930)
• io: more APIs (a589256)
• math: various APIs (912815e)
• primitives: Longs.tryParse(...) and friends (b3d4856)
• primitives: UnsignedLongs (b240e8c)
• primitives: more APIs (fcec25f, ab4302a)
• reflect: Invokable and some methods in TypeToken (a195f7d)
• reflect: Parameter (except getAnnotatedType() in guava-android) (b561eb1)
• testing: various APIs (b331769, 74ad9b8)
• util.concurrent: FluentFuture (b9a2d58)
• util.concurrent: Futures (15a0c9f)
• util.concurrent: Striped (ba8ad69)
• util.concurrent: various MoreExecutors APIs (a3571b4)
• util.concurrent: more APIs (bbaf76a)