Guava Vulnerability / Guice+Guava Update

[N1k145]

Currently, Guice 5 and Guava up to 31 is used in the GLSP Server and Eclipse Integration

These Guava Versions are affected by CVE-2023-2976 classified as a high security risk.
This could be mitigated by updating to Guava 32.0.1 or higher (32.1.2 is part of the 2023-09 SimRel)

The Issue is that Guice 5 has an upper limit of Guava 31 and so an Update to Guice 6 or 7 is necessary.
Xtext already did this update to Guice 7, which is now part of the SimRel

The drawback is that an update to Guice 7 requires changing from javax.inject to jakarta.inject.
Besides that, there are probably no breaking changes that affect GLSP.

The current situation makes is very complicated to use Xtext and GLSP in the same runtime.

Have you already discussed this update?

[N1k145]

I tied to define a new target for 2023-09 with Guice 7 and Guava 32, and it seems to work fine, without breaking changes
I also tried the old target and also this is still working

eclipse-glsp/glsp-server@1dea5dd
eclipse-glsp/glsp-eclipse-integration@7c1a6e6

[planger]

Hi @N1k145, very cool! Thank you! Please feel free to open a PR with those changes. We'll try and see if we can still merge it before the release (but it is already very close... ;-) we keep pushing the deadline back because interesting changes come in :-)).

[N1k145]

Hi @planger
I opened up the two PRs:
eclipse-glsp/glsp-eclipse-integration#89
eclipse-glsp/glsp-server#216

Do you want also the target in the pom to be changed? Currently, the build still compiles against the 2022-12 target. For the 2023-09 to work you need also a 2023-09 development environment as an issue in PDE is triggered see: eclipse-pde/eclipse.pde#429 that is fixed in 2023-09