Commits on Dec 2, 2022

1. chore(deps): specify version 1.29 of org.yaml:snakeyaml to stay parti… …

   …ally up to date
   
   It would be nice to jump all the way to 1.33 to get all the way up to date, and to resolve these CVEs:
   
   CVE-2022-25857 (1.31), CVE-2022-38749 (1.31), CVE-2022-38750 (1.31), CVE-2022-38751 (1.32) and CVE-2022-38752 (1.32).
   
   However, spring-projects/spring-boot#32228 (comment) says
   to stick with 1.29 until >= 2.6.12, as the commit that resolved that issue
   (spring-projects/spring-boot@724f9eb)
   went in to 2.6.12.
   
   Note that spring boot 2.4.13 brings in version 1.27 (see https://repo.maven.apache.org/maven2/org/springframework/boot/spring-boot-dependencies/2.4.13/spring-boot-dependencies-2.4.13.pom).
   
   2.5.14 brings in 1.28 (see https://repo.maven.apache.org/maven2/org/springframework/boot/spring-boot-dependencies/2.5.14/spring-boot-dependencies-2.5.14.pom)
   2.6.13 brings in 1.29 (see https://repo.maven.apache.org/maven2/org/springframework/boot/spring-boot-dependencies/2.6.13/spring-boot-dependencies-2.6.13.pom)
   2.7.5 brings in 1.30 (see https://repo.maven.apache.org/maven2/org/springframework/boot/spring-boot-dependencies/2.7.5/spring-boot-dependencies-2.7.5.pom)
   
   Note also that snakeyaml 1.32 introduces a default 3MB limit (see https://bitbucket.org/snakeyaml/snakeyaml/pull-requests/22).  If, for example, clouddriver-local.yml is bigger than that, perhaps due to a large number of accounts,  clouddriver fails to start.

   

   dbyron-sf committed Dec 2, 2022
   Configuration menu

   • View commit details
   • Copy full SHA for da402ec
   • Browse repository at this point

   Copy the full SHA

   da402ec View commit details

   Browse the repository at this point in the history