Managing Security Vulnerabilities: Upgrading com.google.guava:guava Package in Mendix Application and Handling Duplicate Versions

0
Hello there! Recently I have encountered a issue regarding a vulnerability in the security of my Mendix application it was regarding the package "com.google.guava:guava" I had to upgrade it from the 30.1.1 to 32.0.0 so after upgrading the "Community Comms" from the Market place I was able to upgrade package but I have now two package one of 30.1.1 version and another of 32.0.0 but I only require the latest one If I delete the older version will it affect my application if yes how can I resolve that issue?
asked
1 answers
0

Hello Tushar,

 

If the 32.0.0 package came with the upgrade, and the version 30.1.1. is not used by another module in your application, you can possibly delete it. Before you do just move the file out of your application, synch your application and do rerun of your application, if that works your safe to go.

If it is not working please look for other dependencies to the 30.1.1 file and update those modules as well, and apply the same process above to test it without the file.

If it is still not working it is best to contact the marketplace module developers to signal them of the vulnerability and to ask them to update their code, if they release a new version than you just have to update your module again, but in this way you can be sure that you have no when you update your marketplace modules later and the community benefits as a whole.

 

Thank you for sharing the insight and the signal

 

Good luck!

answered