Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump SnakeYAML from 1.27 to 2.2 to address multiple security vulnerabilities #263

Open
wants to merge 1 commit into
base: v15
Choose a base branch
from
Open

Bump SnakeYAML from 1.27 to 2.2 to address multiple security vulnerabilities #263

wants to merge 1 commit into from

Conversation

Alexander01998
Copy link

@Alexander01998 Alexander01998 commented Jun 23, 2024
edited
Loading

The currently used SnakeYAML v1.27 has multiple security vulnerabilities. Specifically:
CVE-2022-1471
CVE-2022-25857
CVE-2022-41854
CVE-2022-38750
CVE-2022-38751
CVE-2022-38749
CVE-2022-38752

This PR updates SnakeYAML to v2.2, which is currently the latest version. Alternatively, updating to v2.0 or v2.1 would also resolve all of the vulnerabilities.

I did not find any compatibility issues with the update, but I'm also not that familiar with SnakeYAML or with your codebase, so I might have missed something. Apologies if applying this update is not feasible.

@Alexander01998
Update SnakeYAML to v2.2
a159ee2 
The previously used v1.27 has multiple security vulnerabilities. Specifically:
CVE-2022-1471
CVE-2022-25857
CVE-2022-41854
CVE-2022-38750
CVE-2022-38751
CVE-2022-38749
CVE-2022-38752

This update fixes all of them.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@Alexander01998