Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore(deps): specify version 1.29 of org.yaml:snakeyaml to stay parti…
…ally up to date (#999) It would be nice to jump all the way to 1.33 to get all the way up to date, and to resolve these CVEs: CVE-2022-25857 (1.31), CVE-2022-38749 (1.31), CVE-2022-38750 (1.31), CVE-2022-38751 (1.32) and CVE-2022-38752 (1.32). However, spring-projects/spring-boot#32228 (comment) says to stick with 1.29 until >= 2.6.12, as the commit that resolved that issue (spring-projects/spring-boot@724f9eb) went in to 2.6.12. Note that spring boot 2.4.13 brings in version 1.27 (see https://repo.maven.apache.org/maven2/org/springframework/boot/spring-boot-dependencies/2.4.13/spring-boot-dependencies-2.4.13.pom). 2.5.14 brings in 1.28 (see https://repo.maven.apache.org/maven2/org/springframework/boot/spring-boot-dependencies/2.5.14/spring-boot-dependencies-2.5.14.pom) 2.6.13 brings in 1.29 (see https://repo.maven.apache.org/maven2/org/springframework/boot/spring-boot-dependencies/2.6.13/spring-boot-dependencies-2.6.13.pom) 2.7.5 brings in 1.30 (see https://repo.maven.apache.org/maven2/org/springframework/boot/spring-boot-dependencies/2.7.5/spring-boot-dependencies-2.7.5.pom) Note also that snakeyaml 1.32 introduces a default 3MB limit (see https://bitbucket.org/snakeyaml/snakeyaml/pull-requests/22). If, for example, clouddriver-local.yml is bigger than that, perhaps due to a large number of accounts, clouddriver fails to start.
- Loading branch information