Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Issue with Circe dependency - org.yaml:snakeyaml #123

Closed
Meridiano1984 opened this issue Oct 18, 2023 · 4 comments · Fixed by #132
Closed

Issue with Circe dependency - org.yaml:snakeyaml #123

Meridiano1984 opened this issue Oct 18, 2023 · 4 comments · Fixed by #132

Comments

@Meridiano1984
Copy link

Hello,
I have a problem with the vulnerable library org.yaml:snakeyaml in version <2.0. Your library uses io.circe:circe-yaml which uses org.yaml:snakeyaml, also I am aware there is no stable version of io.circe:circe-yaml using snakeyaml in version >2.0. My question is are you considering switching to another library without such problems?

My concerns was risen by this problem: CVE-2022-1471

@adamw
Copy link
Member

adamw commented Oct 31, 2023

Sure, we should address this. Do you have any suggestions, on what library we might use? PRs are of course welcome as well :)

@jamonkko
Copy link

jamonkko commented Nov 6, 2023

This seems to be fixed, since update of circe-yaml to 1.15 that does not have the CVE anymore was merged already.
(fyi circe-yaml seems to have released 1.15 by accident, it should have been 0.15 and now there seems to be also 0.15.1. If the versioning continues in the 0.15 line I guess it breaks the automated dependency update flows of the projects that took 1.15 to use)

Anyway, to get rid of the CVE showing up in scanning results for tapir-swagger-ui-bundle users, need a new release of sttp-apispec and then also new release of tapir updated to use new apispec.

@svavassori
Copy link

I just notice that the recently released version 0.7.2 uses circe-yaml 1.15.0 while on circe-yaml release page it states clearly it shouldn't be used because it was a mistake and they already released a patch over the correct one (i.e. 0.15.1).

Could you please share reason for which you decided to go with 1.15.0?
Are there any possibility to have a release of sttp-apispec with circe-yaml 0.15.1?

@adamw
Copy link
Member

adamw commented Nov 24, 2023

@svavassori the version was bumped by an automatic update (scala-steward). See the PR for a fix. I'll make a release shortly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants