Monday, June 29, 2020

Re: Security Vulnerabilities with GWT

On Monday, June 29, 2020 at 3:36:11 PM UTC+2, Colin Alworth wrote:
1. No, these dependencies were not updated as part of the 2.9.0 release 
2. An update would come either in a 2.9.x bugfix release, or in 2.10 - the 3.x release is going to be structured in a different enough of a way that none of these will be present.
3. At a quick glance, it appears to be an oversight that protobuf is included in gwt-servlet and can be entirely removed. I believe this is likely a false positive if it is not used, since it gets a custom package, so will not interfere with other protobuf dependencies.

From a quick search in gwtproject/tools, protobuf is a transitive dependency of jscomp-sourcemaps, and it *is* indeed the rebased/repackaged version.

You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To view this discussion on the web visit

No comments:

Post a Comment