Play-Services Guava Vulnerability

[hammond-mike-ao]

Issue

There are currently a couple vulnerabilities (CVE-2023-2976, CVE-2020-8908) stemming from the play-services-measurement-api:23.0.0 dependency used in the com.google.firebase:firebase-analytics:23.0.0 library due to an outdated version of Guava being used. Are there any plans to update this Play Services library to use a newer version of Guava to resolve the vulnerability? If not, are there any concerns with clients overriding the version of Guava used?

Affected Dependencies:

play-services-measurement-api:23.0.0
play-services-measurement-impl:23.0.0

NOTE: This is a copy of #7494 which was closed prematurely.

In the previous ticket, there was mentioned that GA4F doesn't use the affected methods referenced in the vulnerabilities, but the concern is that the play-services dependencies are using the affected methods. Are you able to provide any insight on this?

[google-oss-bot]

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.