imagejan
commented
1 year ago The snakeyaml dependency is transitive via formats-bsd and should be fixed there.
Closed CVEDetect closed 1 year ago
imagejan
commented
1 year ago The snakeyaml dependency is transitive via formats-bsd and should be fixed there.
ctrueden
commented
1 year ago @imagejan True. But we can also fix it here by updating pom-scijava to manage the 2.0 version of snakeyaml. Right now it manages it at 1.33, and I hesitated to update it to 2.0 due to fear of breaking changes with pom-scijava 34. But I have now done so (scijava/pom-scijava@a11e7d795737e60c50fe84b23d6296265087ef2a), and we will rely on the melting pot to tell us what breaks!
ctrueden
commented
1 year ago Thank you @CVEDetect, you are a lovely robot. But this dependency update has now been accomplished by 5a11611f74bfa7e4ddc5305cb2ff9158e944b309.
ctrueden
commented
1 year ago @imagejan Just to follow up on my findings regarding a potential update in pom-scijava to snakeyaml 2.0: it turns out pom-scijava is currently managing snakeyaml at 1.33, which is new enough to avoid this CVE. And updating to 2.0 broke two projects downstream: ui-behaviour and bigdataviewer-core, due to breaking changes in the snakeyaml API. I updated ui-behaviour to pom-scijava 34.1.0 to avoid bots filing PRs against it. The bigdataviewer-core project is already extending a new-enough version of pom-scijava (34.0.0) to avoid looking shady.
Fix issue #70 by update dependency org.yaml:snakeyaml:2.0 @ctrueden