From 5174b2eb293fb17443a7ad2c9c73ae1fcba06568 Mon Sep 17 00:00:00 2001
From: Diego Marquez <diegomarquezp@google.com>
Date: Wed, 9 Apr 2025 12:38:59 -0400
Subject: [PATCH 1/2] docs: add instructions on Java 7 usage

---
 README.md | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index ab51e6e53..9bc16156f 100644
--- a/README.md
+++ b/README.md
@@ -17,9 +17,12 @@ content. The JSON and XML libraries are also fully pluggable, and they include s
 
 The library supports the following Java environments:
 
-- Java 7 or higher
-  - The google-http-client-jackson2 and google-http-client-appengine modules require Java 8 or
-    higher due to their dependencies.
+- Java 7 or higher. The following modules require Java 8 or
+    higher due to their dependencies:
+  - google-http-client (Java 7 is supported until version [TBD])
+  - google-http-client-apache-v5 (Java 7 is supported until version [TBD])
+  - google-http-client-jackson2 (Java 7 is supported until version [1.40.0](https://github.com/googleapis/google-http-java-client/releases/tag/v1.40.0) via [Jackson](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.13#compatibility-jdk-requirements))
+  - google-http-client-appengine (Java 7 [not supported](https://cloud.google.com/appengine/docs/standard/deprecations/shut-down))
 - Android 4.4 (Kit Kat)
 - GoogleAppEngine Google App Engine
 

From 89d8a09c30bdd64ee57fc8393d70415e0a648a37 Mon Sep 17 00:00:00 2001
From: Diego Marquez <diegomarquezp@google.com>
Date: Wed, 9 Apr 2025 12:43:39 -0400
Subject: [PATCH 2/2] acknowledge CVE in guava

---
 README.md | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 9bc16156f..a15352bbc 100644
--- a/README.md
+++ b/README.md
@@ -19,8 +19,10 @@ The library supports the following Java environments:
 
 - Java 7 or higher. The following modules require Java 8 or
     higher due to their dependencies:
-  - google-http-client (Java 7 is supported until version [TBD])
-  - google-http-client-apache-v5 (Java 7 is supported until version [TBD])
+  - google-http-client (Java 7 is supported until version [TBD-1])
+	- Note that version [TBD-1] contains Guava version `30.1.1`, which contains a [known CVE](https://www.cvedetails.com/cve/CVE-2023-2976/).
+	In order to avoid scanners from flagging this vulnerability, please upgrade your project to Java 8 and use the latest version of `google-http-client`
+  - google-http-client-apache-v5 (Java 7 is supported until version [TBD-2])
   - google-http-client-jackson2 (Java 7 is supported until version [1.40.0](https://github.com/googleapis/google-http-java-client/releases/tag/v1.40.0) via [Jackson](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.13#compatibility-jdk-requirements))
   - google-http-client-appengine (Java 7 [not supported](https://cloud.google.com/appengine/docs/standard/deprecations/shut-down))
 - Android 4.4 (Kit Kat)