Closed SnowzNZ closed 6 months ago
We actually don't use that version, at least not strictly. All of the platforms (Bukkit/Spigot/Paper, BungeeCord/Waterfall, Sponge, Velocity) provide a version of SnakeYaml, and LibertyBans uses whichever SnakeYaml copy is already installed.
Sometimes the platform uses an older SnakeYaml version which has vulnerabilities. When that happens, however, we aren't exposing the user to any vulnerabilities they weren't already exposed to, since the server platform itself uses SnakeYaml. We use SnakeYaml in the same way as the platform does.
The current version used in the root directory's
pom.xml
is 1.26, which is 4 years old with 7 known vulnerabilities. https://mvnrepository.com/artifact/org.yaml/snakeyaml/1.26