SpongePowered / SpongeAPI

A Minecraft plugin API
http://www.spongepowered.org/
MIT License
1.14k stars 342 forks source link

Vulnerable version of SnakeYAML is being used in api #2559

Closed radon-86 closed 2 months ago

radon-86 commented 2 months ago

Major SpongeAPI version

11

Is this likely to be a breaking change?

Yes

What are you requesting?

According to my security tool which I am using Sponge API version 11 is using the package SnakeYAML version 1.28, which is vulnerable to various attacks, according to Snyk: https://security.snyk.io/package/maven/org.yaml:snakeyaml/1.28.

zml2008 commented 2 months ago

security tools are not a substitute for a brain.