Summary

Even though this is about a Guava vulnerability, because graphql-java shades the Guava library, vulnerabilities-scanning software is flagging graphql-java as also being vulnerable.

If I understand correctly, Guava has been updated already in graphql-java, but a "stable" release has not been made yet(?).
I am creating this ticket to ask if you could release a patch version including this update.

The Guava vulnerability reported at CVE-2023-2976 has been fixed in Guava version 32.0.0.
The latest stable version of graphql-java seems to be 20.3 as of writing, but that version is using Guava 31.0.1-jre.

The CVE is not published as of writing. But it's referenced in Guava's CHANGELOG.

The impact of the Guava vulnerability is explained here.