[Bug] upgrade to snakeyaml 2.0 due to cve

apache / linkis

Apache Linkis builds a computation middleware layer to facilitate connection, governance and orchestration between the upper applications and the underlying data engines.

https://linkis.apache.org/

Apache License 2.0

3.31k stars 1.17k forks source link

[Bug] upgrade to snakeyaml 2.0 due to cve #4273

Open pjfanning opened 1 year ago

pjfanning commented 1 year ago

Search before asking

[X] I searched the issues and found no similar issues.

Linkis Component

linkis-commons

Steps to reproduce

https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in

Expected behavior

secure lib used

Your environment

Linkis version used: 1.1.2
Environment name and version:
- cdh-5.14.2
- hdp-3.1.5
- hive-2.1.1
- spark-3.2.1
- scala-2.12.2
- jdk 1.8.0_121
- ....

Anything else

No response

Are you willing to submit a PR?

[X] Yes I am willing to submit a PR!

github-actions[bot] commented 1 year ago

:blush: Welcome to the Apache Linkis community!!

We are glad that you are contributing by opening this issue.

Please make sure to include all the relevant context. We will be here shortly.

If you are interested in contributing to our website project, please let us know! You can check out our contributing guide on :point_right: How to Participate in Project Contribution.

Community

WeChat Assistant	WeChat Public Account

Mailing Lists

Name	Description	Subscribe	Unsubscribe	Archive
dev@linkis.apache.org	community activity information	subscribe	unsubscribe	archive

pjfanning commented 1 year ago

Looks like this is blocked because of Spring - see https://github.com/apache/linkis/pull/4274