When does PubSub upgrade to latest google-cloud-bom?

[paulbors]

What's your policy to keep up with newly discovered SAST vulnerabilities especially the ones patched inside the latest version of google-cloud-bom?

[madhavmadupu]

Hi @paulbors ,

I've looked into the current dependency versions in this repository. The latest stable version of google-cloud-bom is currently 0.254.0 (released Dec 17, 2025). This version includes updated transitive dependencies that address several recently discovered SAST and security vulnerabilities.

Regarding the policy: Google Cloud Open Source projects typically aim to align with the latest google-cloud-bom or libraries-bom releases to ensure security and compatibility. While automation often handles these updates in primary client libraries, community-managed repositories like this one sometimes require manual synchronization.

To address this issue, we should update the google-cloud-bom version to 0.254.0 across the project's pom.xml files (such as in the Kafka connector and load-test framework).

Specifically, the following change in the <dependencyManagement> section is recommended:

<dependency>
    <groupId>com.google.cloud</groupId>
    <artifactId>google-cloud-bom</artifactId>
    <version>0.254.0</version>
    <type>pom</type>
    <scope>import</scope>
</dependency>

Would you like me to open a Pull Request with these updates to resolve this and ensure the latest security patches are included?

[paulbors]

Hey @madhavmadupu
Could you please? Do those Google projects on GitHub not have defendabot enabled?

[madhavmadupu]

Hi @paulbors, I've just opened Pull Request #402 to update the google-cloud-bom version to 0.254.0 across all the project's pom.xml files.

Please let me know if there's anything else needed!