Maven
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>32.0.0-jre</version>
<!-- or, for Android: -->
<version>32.0.0-android</version>
</dependency>
Jar files
Guava requires one runtime dependency, which you can download here:
Javadoc
JDiff
Changelog
Security fixes
- Reimplemented
Files.createTempDir
andFileBackedOutputStream
to further address CVE-2020-8908 and Guava issue #2575 (CVE-2023-2976, forthcoming). (feb83a1)
While CVE-2020-8908 was officially closed when we deprecated Files.createTempDir
in Guava 30.0, we've heard from users that even recent versions of Guava have been listed as vulnerable in other databases of security vulnerabilities. In response, we've reimplemented the method (and the very rarely used FileBackedOutputStream
class, which had a similar issue) to eliminate the insecure behavior entirely. This change could technically affect users in a number of different ways (discussed under "Incompatible changes" below), but in practice, we expect no problems for anyone except Windows users. (Unfortunately, we didn't think of the Windows problem until after the release. And while we warn that common.io
in particular may not work under Windows, we didn't intend to potentially regress support.)
Incompatible changes
Although this release bumps Guava's major version number, it makes no binary-incompatible changes to the guava
artifact.
A few changes could cause isses for users in relatively rare situations:
- This release makes a binary-incompatible change to a
@Beta
API in the separate artifactguava-testlib
. Specifically, we changed the return type ofTestingExecutors.sameThreadScheduledExecutor
toListeningScheduledExecutorService
. The old return type was a package-private class, which caused the Kotlin compiler to produce warnings. (dafaa3e) - This release adds two methods to the Android flavor of Guava:
Invokable.getAnnotatedReturnType()
andParameter.getAnnotatedType()
. Those methods do not work under an Android VM; we added them only to help our tests of the Android flavor (since we also run those tests under a JRE). Android VMs tolerate such methods as long as the app does not call them or perform reflection on them, and builds tolerate them because of our new Proguard configurations (discussed below). Thus, we expect no impact to most users. However, we could imagine build problems for users who have set up their own build system for the Android flavor of Guava. Please report any problems so that we can judge how safely we might be able to add other methods to the Android flavor in the future, such as APIs that use Java 8 classes likeStream
. (b30e73c) - This release removes various APIs from the
guava-gwt
. This affects only users of GWT. The APIs we removed areEnums
,Sets.complementOf
, and theEnum*BiMap
classes'keyType()
andvalueType()
methods. These changes prepare for the removal of reflective enum-related APIs from J2CL. If one of these changes causes you problems as a GWT user, let us know. (c3a155d, 09db2c2, 3de12be) - The new implementations of
Files.createTempDir
andFileBackedOutputStream
throw an exception under Windows. We suspect that we could make the implementations work under Windows, but we'd likely need help to implement and test Windows support, including making the case that the resulting behavior is secure. - The new implementations of
Files.createTempDir
andFileBackedOutputStream
are annotated as@J2ObjCIncompatible
. If you need to use them under J2ObjC, contact us. (56dc928) - Because the new version of
Files.createTempDir
restricts permissions to the current user, it could break any user that relies on letting other users access the directory. - The new versions of
Files.createTempDir
andFileBackedOutputStream
throw an exception if they can't create the directory or file securely. This is possible only under Android Ice Cream Sandwich, a very old version of Android that is the oldest one we test Guava with.
Other changes
- Removed
@Beta
from almost all APIs. For details, see the bottom of the release notes. At this point, it's probably simpler to look at a list of APIs that still are@Beta
, such as this list forguava-jre
. Most of the remaining@Beta
APIs are ingraph
andhash
. - Enhanced the Guava jar to include Proguard configurations that are picked up automatically by the Android Gradle Plugin. This should help with warnings that were promoted to errors in Android Gradle Plugin 8.x. (aeba1e1)
- Enhanced the Guava jar to include information about method parameters in its class files. If you use static analyzers that look at method-parameter names, you may see new warnings or errors if they are now able to detect mismatches. But mostly, you may see better tooltips and autocompletion in IDEs. (59d174c)
- Improved nullness annotations on a few classes.
- Modified classes with "serial proxies" to declare exception-throwing
readObject
methods, in accordance with best practice. (e62d6a0) collect
: FixedMaps.newHashMapWithExpectedSize
to stop allocating maps that were larger than they needed to be. (6ad621e)collect
: Made various APIs work J2CL:Maps.immutableEnumMap
+toImmutableEnumMap
,EnumMultiset
,CollectorTester
. Previously, the APIs were present but failed at runtime. (b62c88e, 23ff918, 852a7d3)collect
: Optimized memory usage forInterner
andMapMaker
. (a2e8f3c)graph
: Changed directed graphs to reject attempts to add undirected edges. (76260d9)io
: AddedBaseEncoding.ignoreCase()
to support case-insensitive decoding. (9c1e5de)net
: AddedHttpHeaders
constants:net
: Added theMediaType
constant for JWT. (f942fd2)primitives
: Addedrotate()
for arrays of all primitive types. (cd338fa, 6e9057d)util.concurrent
: ChangedAbstractFuture
to runinterruptTask()
just beforeafterDone()
. Until this change, it ran slightly earlier than that: We used to run it before unblocking any pendingget()
calls, and now we run it after. (b337be6)util.concurrent
: Fixed some cases in which we could catchInterruptedException
but fail to restore the interrupt bit. (8f0350a)
@Beta
removal list
base
:Utf8
(211907c)base
: more APIs (b0cc461)collect
:Multimaps.asMap(...)
(df0081f)collect
:FluentIterable
APIs (73b2f7b)collect
:Forwarding[Foo]
APIs (9760dbc)collect
:ImmutableFoo.Builder.builderWithExpectedSize(...)
,orderEntriesByValue(...)
, andEntry
-related APIs (61be35c)collect
:RangeMap
,RangeSet
, and friends (fe12c81)collect
: more APIs (98820c7, e5e0f66)io
:ByteStreams
(4897930)io
: more APIs (a589256)math
: various APIs (912815e)primitives
:Longs.tryParse(...)
and friends (b3d4856)primitives
:UnsignedLongs
(b240e8c)primitives
: more APIs (fcec25f, ab4302a)reflect
:Invokable
and some methods inTypeToken
(a195f7d)reflect
:Parameter
(exceptgetAnnotatedType()
inguava-android
) (b561eb1)testing
: various APIs (b331769, 74ad9b8)util.concurrent
:FluentFuture
(b9a2d58)util.concurrent
:Futures
(15a0c9f)util.concurrent
:Striped
(ba8ad69)util.concurrent
: variousMoreExecutors
APIs (a3571b4)util.concurrent
: more APIs (bbaf76a)