search

A248 / LibertyBans

The be-all, end-all of discipline.
https://ci.hahota.net:8443/job/LibertyBans/
GNU Affero General Public License v3.0
165 stars 40 forks source link

Update SnakeYAML #255

Closed SnowzNZ closed 6 months ago

SnowzNZ commented 6 months ago

The current version used in the root directory's pom.xml is 1.26, which is 4 years old with 7 known vulnerabilities. https://mvnrepository.com/artifact/org.yaml/snakeyaml/1.26

A248 commented 6 months ago

We actually don't use that version, at least not strictly. All of the platforms (Bukkit/Spigot/Paper, BungeeCord/Waterfall, Sponge, Velocity) provide a version of SnakeYaml, and LibertyBans uses whichever SnakeYaml copy is already installed.

Sometimes the platform uses an older SnakeYaml version which has vulnerabilities. When that happens, however, we aren't exposing the user to any vulnerabilities they weren't already exposed to, since the server platform itself uses SnakeYaml. We use SnakeYaml in the same way as the platform does.