-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue with Circe dependency - org.yaml:snakeyaml #123
Comments
Sure, we should address this. Do you have any suggestions, on what library we might use? PRs are of course welcome as well :) |
This seems to be fixed, since update of circe-yaml to 1.15 that does not have the CVE anymore was merged already. Anyway, to get rid of the CVE showing up in scanning results for |
I just notice that the recently released version 0.7.2 uses circe-yaml 1.15.0 while on circe-yaml release page it states clearly it shouldn't be used because it was a mistake and they already released a patch over the correct one (i.e. 0.15.1). Could you please share reason for which you decided to go with 1.15.0? |
@svavassori the version was bumped by an automatic update (scala-steward). See the PR for a fix. I'll make a release shortly. |
Hello,
I have a problem with the vulnerable library
org.yaml:snakeyaml
in version <2.0. Your library usesio.circe:circe-yaml
which usesorg.yaml:snakeyaml
, also I am aware there is no stable version ofio.circe:circe-yaml
using snakeyaml in version >2.0. My question is are you considering switching to another library without such problems?My concerns was risen by this problem: CVE-2022-1471
The text was updated successfully, but these errors were encountered: