lread
commented
1 year ago We have decided to wait until SnakeYAML 2.1 is released before upgrading. The idea is that the dust should have settled by then.
TrustedTagInspector is being removed in 2.1
SnakeYAML 2.1, which at the time of this writing, has yet to be released, moves TrustedTagInspector from their release artifact to a not-released example test class.
Note: the TrustedTagInspector might have been better named TrustingTagInspector, it simply allows any and all yaml global tags.
I made use of the TrustedTagInspector class in my SnakeYAML 2.0 PR to mimic SnakeYAML 1.x behaviour to support clj-yaml :unsafe feature.
Option 1 - Include a TrustedTagInspector.java in clj-yaml
Clj-yaml has Java sources already, just bring this wee class over and use it.
Option 2 - Same as 1 but do it in Clojure
Just because clj-yaml has Java sources does not mean it should have more.
We can express the equivalent of TrustedTagInspector inline via a reify in clj-yaml.
Option 3 - Force clj-yaml users to create their own trusted tag inspector.
With all the SnakeYAML CVE turmoil, I can see why team SnakeYAML turfed the TrustedTagInspector. They want to force their users to be very deliberate when doing unsafe things.
Since clj-yaml is already safe by default, and only : unsafe on request, I don't see a need to follow the SnakeYAML strategy here with a breaking change.
We also want to remain babashka-friendly.
Proposal
Option 2 makes the most sense to me. @borkdude any thoughts, or concerns?
borkdude
arichiardi
SnakeYAML 2.0 has been released:
Perceived advantages to upgrade:
I'll start with a PR to explore