vulnerable org.yaml:snakeyaml:jar:1.33

[patpatpat123]

Hello team,

Just wanted to reach out to say thanks for this project. I am reaching out because it seems this project is pulling a vulnerable dependency, the org.yaml:snakeyaml:jar:1.33

[INFO] +- org.springframework.boot:spring-boot-starter-webflux:jar:3.1.0-RC1:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter:jar:3.1.0-RC1:compile
[INFO] |  |  +- org.springframework.boot:spring-boot:jar:3.1.0-RC1:compile
[INFO] |  |  |  \- org.springframework:spring-context:jar:6.0.8:compile
[INFO] |  |  |     +- org.springframework:spring-aop:jar:6.0.8:compile
[INFO] |  |  |     \- org.springframework:spring-expression:jar:6.0.8:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-starter-logging:jar:3.1.0-RC1:compile
[INFO] |  |  |  +- ch.qos.logback:logback-classic:jar:1.4.7:compile
[INFO] |  |  |  |  \- ch.qos.logback:logback-core:jar:1.4.7:compile
[INFO] |  |  |  +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.20.0:compile
[INFO] |  |  |  |  \- org.apache.logging.log4j:log4j-api:jar:2.20.0:compile
[INFO] |  |  |  \- org.slf4j:jul-to-slf4j:jar:2.0.7:compile
[INFO] |  |  +- jakarta.annotation:jakarta.annotation-api:jar:2.1.1:compile
[INFO] |  |  \- org.yaml:snakeyaml:jar:1.33:compile

[INFO] |  |  +- jakarta.annotation:jakarta.annotation-api:jar:2.1.1:compile
[INFO] |  |  \- org.yaml:snakeyaml:jar:1.33:compile <----- vulnerable

Would it be possible to bump this to the latest 2.0 version please?

Thank you

[pzygielo]

This project has no single dependency.

From dependency:tree above it rather looks that it's about dependency of org.springframework.boot:spring-boot-starter.

[patpatpat123]

@pzygielo many thanks for your clarification