Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(cve): Upgrade snakeyaml from 1.29 to 1.31
Spring boot 2.6.15 brings snakeyaml 1.29, which fails to parse yaml (including some k8s manifest) due to issue mentioned [here](spring-projects/spring-boot#30159 (comment)). It's safe to upgrade beyond 1.29. However, snakeyaml 1.32 has been introduced with [feature](https://bitbucket.org/snakeyaml/snakeyaml/issues/547/restrict-the-size-of-incoming-data) of restricting the size of incoming data i.e file size to 3 MB by default, and spring boot versions <= 3.0.7 are not equipped to modify this limit. So attempting to use 1.31 in order to avoid file size limitation till upgrade >= 3.0.7 and to resolve CVE-2022-25857 and CVE-2022-38749. spring-projects/spring-boot#32228 (comment).
- Loading branch information