Vulnerabilities from libraries used by stil

[pahjbo]

looking at https://mvnrepository.com/artifact/uk.ac.starlink/stil/4.3 it is clear that there are some fairly serious security vulnerabilities in the json and yaml library dependencies - it would be good to update these (the json one is 10yrs old!)

[mbtaylor]

Thanks @pahjbo you are right. This is really just a case of updating the POM, I've been using snakeyaml v2.2 in development for a while now so the snakeyaml version in the POM is an oversight, and there are no source changes required for an update of JSON-java to 20240303. I've made changes so that the next STIL release should have these versions in the POM so that the CVEs go away. I can't easily test this without actually making a release, so I will leave this issue open until the next release, when I'll try to remember to check that this has actually happened.

[pahjbo]

I guessed that was probably the case - so it is fine for local use to override what the POM is saying before the next official release.

[mbtaylor]

Correct. BTW from what I can tell the chances of users suffering security issues based on these vulnerabilities in practice seems rather remote.

[pahjbo]

Correct. BTW from what I can tell the chances of users suffering security issues based on these vulnerabilities in practice seems rather remote.

probably but that security red light is rather binary - I only noticed it because the IDE that I use flashed up a warning at me!