Update snakeyaml to 2.0 #2198
Comments
|
Currently reddeer requires org.yaml.snakeyaml;bundle-version="1.14.0": Currrent Eclipse IDE ships 1.27 from orbit. All those versions are reported to have multiple vulnerabilities.: Would you please require snakeyaml 2.0? |
odockal
added
dependencies
|
@merks Could you please help this project with setting up proper usage of maven central artifacts? |
|
I will look into it now. |
|
I'm kind of confused where the dependencies come from. I can't find a *.target file. Searching all the files doesn't even clue me in to where the dependency might be specified... |
|
Instead of target file the project defines p2 sites in the pom.xml e.g. https://github.com/eclipse/reddeer/blob/master/pom.xml#L208 . |
|
Reddeer could use https://download.eclipse.org/oomph/simrel-orbit/2023-09 which aggregates Orbit's IBuild (currently with all the direct-from-Maven dependencies of all the SimRel projects, already PGP signed. It contains the following versions:
I assume, given there is no upper bound on the dependency in the MANIFEST.MF, the build would just pick up the 2.0.0 version automatically. Of course this update site will update to minor versions "automatically", and at some point soon, this will be provided/hosted by Orbit's downloads. Okay? |
|
@merks @akurtakov I have prepared PR to tackle this issue. #2206. although I like the site Ed proposed. I will work that in. |
…fixes eclipse#2198 Signed-off-by: Ondrej Dockal <odockal@redhat.com>
|
Do you plan new release soon? It would be nice to have one so this old snakeyaml disappears through the transitive deps updates for 2023-09. |
|
@akurtakov we are working on new release (4.7.0): #2216 :) |
This release fixes CVE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1471 according to https://bitbucket.org/snakeyaml/snakeyaml/wiki/Changes
The text was updated successfully, but these errors were encountered: