search

jreijn / spring-comparing-template-engines

Demo project to show different Java templating engines in combination with Spring MVC
Apache License 2.0
422 stars 116 forks source link

Fix CVE dependency issue #106

Closed CVEDetect closed 1 year ago

CVEDetect commented 1 year ago

Fix issue #105 by update dependency org.yaml:snakeyaml:1.33 @jreijn

Vest commented 1 year ago

@CVEDetect is it a virus?

CVEDetect commented 1 year ago

@CVEDetect is it a virus?

@Vest It is a cve vulnerability, there is a description of this vulnerability in #105

Vest commented 1 year ago

I saw it. Instead of blindly approving your PR, have you seen a direct dependency to snakeyaml in this repository?

If not, have you contacted the owners of dependencies that we use directly? If the vulnerability is fixed, I will bump Spring and other dependencies.

The last thing, have you tried to use this vulnerability in the current project? What was the outcome?

Thanks

CVEDetect commented 1 year ago

I saw it. Instead of blindly approving your PR, have you seen a direct dependency to snakeyaml in this repository?

If not, have you contacted the owners of dependencies that we use directly? If the vulnerability is fixed, I will bump Spring and other dependencies.

The last thing, have you tried to use this vulnerability in the current project? What was the outcome?

Thanks

The version starting from spring 3.0.0 has upgraded the version of snakeyaml to 1.33 to fix this vulnerability

Vest commented 1 year ago

I am glad, you came to the same conclusion. And I hope you understand, why I declined your PR. I am working on the migration to Spring 3.

CVEDetect commented 1 year ago

thank you for your reply