Closed headius closed 1 year ago
Ok I misspoke... current asciidoctorj uses 9.4.1.0 which DOES use the newer Psych that switched to SnakeYAML-Engine. So there's no immediate rush on merging and releasing this PR.
Sorry for the noise. You can close this if you like, but of course 9.4.3.0 is better than 9.4.1.0 (and 9.4.4.0 will be better than that in a week or two).
FYI I deleted a comment here that was intended for another project.
Thank you so much! Really appreciate this.
JRuby 9.4.3.0 includes an updated Psych YAML library, which uses SnakeYAML-Engine and avoids several CVEs against the original SnakeYAML. By updating here, downstream users of asciidoctorj will not run into security audit issues.
See related issues and PRs:
Thank you for opening a pull request and contributing to AsciidoctorJ!
Please take a bit of time giving some details about your pull request:
Kind of change
Description
What is the goal of this pull request?
How does it achieve that?
Are there any alternative ways to implement this?
Are there any implications of this pull request? Anything a user must know?
Release notes
Please add a corresponding entry to the file CHANGELOG.adoc