Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore(deps): specify version 1.29 of org.yaml:snakeyaml to stay parti…
…ally up to date It would be nice to jump all the way to 1.33 to get all the way up to date, and to resolve these CVEs: CVE-2022-25857 (1.31), CVE-2022-38749 (1.31), CVE-2022-38750 (1.31), CVE-2022-38751 (1.32) and CVE-2022-38752 (1.32). However, spring-projects/spring-boot#32228 (comment) says to stick with 1.29 until >= 2.6.12, as the commit that resolved that issue (spring-projects/spring-boot@724f9eb) went in to 2.6.12. Note that spring boot 2.4.13 brings in version 1.27 (see https://repo.maven.apache.org/maven2/org/springframework/boot/spring-boot-dependencies/2.4.13/spring-boot-dependencies-2.4.13.pom). 2.5.14 brings in 1.28 (see https://repo.maven.apache.org/maven2/org/springframework/boot/spring-boot-dependencies/2.5.14/spring-boot-dependencies-2.5.14.pom) 2.6.13 brings in 1.29 (see https://repo.maven.apache.org/maven2/org/springframework/boot/spring-boot-dependencies/2.6.13/spring-boot-dependencies-2.6.13.pom) 2.7.5 brings in 1.30 (see https://repo.maven.apache.org/maven2/org/springframework/boot/spring-boot-dependencies/2.7.5/spring-boot-dependencies-2.7.5.pom) Note also that snakeyaml 1.32 introduces a default 3MB limit (see https://bitbucket.org/snakeyaml/snakeyaml/pull-requests/22). If, for example, clouddriver-local.yml is bigger than that, perhaps due to a large number of accounts, clouddriver fails to start.
- Loading branch information