spring-cloud-starter-netflix-eureka-client 4.3.0 brings in guava 14 that has multiple security issues

[famod]

While updating from Spring Boot 3.3 and Spring Cloud 2023.0.6 (spring-cloud-starter-netflix-eureka-client 4.1.6 respectively) to Spring Boot 3.5 and Spring Cloud 2025.0.0 (spring-cloud-starter-netflix-eureka-client 4.3.0 respectively) I noticed that a new CVE warning popped up caused by guava 14.0.1.
This guava version has actually multiple security issues: https://mvnrepository.com/artifact/com.google.guava/guava/14.0.1

In 4.1.6 there is a dependency to eureka-core which brings in a much newer version of guava:

But that eureka-core dependency was removed via b53540e which also means that 4.2.x is affected as well.

Btw, I've also cross-checked via ./mvnw dependency:tree -f spring-cloud-starter-netflix-eureka-client | grep -P 'guava|$' on main and the various tags involved.

[spencergibb]

These aren't managed by spring-cloud-netflix.

[famod]

Sure, but it's not uncommon for frameworks and platforms to manage transitive dependencies explicitly to resolve conflicts or (like in this case) mitigate CVEs, so that users/consumers don't have to do it themselves.

I don't see any activity over at Netflix/netflix-commons#44 (see also Netflix/netflix-commons#39).
I also don't see much activity one level further up (on eureka level), e.g.: Netflix/eureka#1539

So it would be great if spring-cloud-netflix would fill the gap.

[spencergibb]

Unfortunately, guava regularly has breaking changes in releases. Your image shows that guava 14 was not included in your dependencies, and it uses guava 33.

[famod]

The screenshot is from spring-cloud-starter-netflix-eureka-client 4.1.6 when there was still a dependency to eureka-core.
This issue starts with 4.2 and is still present in the latest release.

[spencergibb]

PRs welcome