-
Notifications
You must be signed in to change notification settings - Fork 38.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade to SnakeYAML 2.0 #30048
Upgrade to SnakeYAML 2.0 #30048
Conversation
@bclozel Spring is not affected by CVE-2022-1471, but yes the tooling should stop complaining after this PR |
This change makes SnakeYaml 2.0+ a requirement for all Spring applications. We're scheduling this for 6.1.0 right now, but we might upgrade Spring Boot 3.1.0 to SnakeYaml 2.0 before that if the source/runtime compatibility is fine. |
Any plan to apply this fix to Spring Boot 2.x version? Thanks. |
@bclozel I can also contribute a PR to Spring Boot |
Is it possible to update the code such that Spring only uses a subset of snakeyaml, that is not affected by backwards-incompatible changes? |
this PR fixes failing YamlProcessorTests |
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
## Description Upgrades SnakeYaml dependency version forcefully to 2.0 to overcome [this issue](spring-projects/spring-boot#33457), as advised [here](spring-projects/spring-boot#34405 (comment)). This version tag can be reverted when we upgrade to Spring 6.1, which is when the library [aims](spring-projects/spring-framework#30048 (comment)) to upgrade the version themselves. Fixes appsmithorg/appsmith-ee#1233 #### Type of change - Chore (housekeeping or task changes that don't impact user perception) ## Testing This PR will be tested during regression. --------- Co-authored-by: Arpit Mohan <[email protected]> Co-authored-by: Shrikant Sharat Kandula <[email protected]>
Are there any plans to backport the SnakeYAML 2.0+ upgrade into Spring Boot 2.7.x, for those unable to migrate to Spring Boot 3.x? |
SnakeYAML 2.0 deliveres backwards incompatible changes
https://bitbucket.org/snakeyaml/snakeyaml/wiki/Changes