Bump snakeyaml from 1.33 to 2.0 #75
Conversation
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=60&v=4){kind=small}
dependabot
bot
added
the
dependencies
There was a problem hiding this comment.
2.0 is a potentially breaking change to consumers as some constructors have been removed.
need to ensure that the removed code is not being used by any consumers before this is upgraded.
dependabot
bot
force-pushed
the
dependabot/maven/org.yaml-snakeyaml-2.0
branch
from
3d85939
to
b67df79
Compare
|
Hi @jtnord |
https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE%20&%20NIST.md There is no vulnerability in snakeyaml - it works as expected - the vulnerability is in any libraries that use it insecurely with untrusted data. The Jenkins plugin ecosystem has been checked for this usage. Additionally as commented above - 2.0 is potentially breaking so this needs some time to check all consumers will not break and adjust them as appropriate. |
dependabot
bot
force-pushed
the
dependabot/maven/org.yaml-snakeyaml-2.0
branch
from
b67df79
to
1642e22
Compare
dependabot
bot
force-pushed
the
dependabot/maven/org.yaml-snakeyaml-2.0
branch
from
1642e22
to
f142114
Compare
|
The ConfigurationAsCodeTest in the plugin bill of materials fails with no such method error when snakeyaml is updated to the incremental build from this pull request. The configuration as code automated tests will need adaptation before they are ready for snakeyaml 2.0. |
Bumps [snakeyaml](https://bitbucket.org/snakeyaml/snakeyaml) from 1.33 to 2.0. - [Commits](https://bitbucket.org/snakeyaml/snakeyaml/branches/compare/snakeyaml-2.0..snakeyaml-1.33) --- updated-dependencies: - dependency-name: org.yaml:snakeyaml dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
force-pushed
the
dependabot/maven/org.yaml-snakeyaml-2.0
branch
from
f142114
to
5c28c7c
Compare
the production code will need some fixes also |
|
The following proprietary plugins should be tested as well:
|
|
Might need a release of fabric8io/kubernetes-client#5098 and a corresponding upgrade in https://github.com/jenkinsci/kubernetes-client-api-plugin as well. |
|
@basil the PR you linked to is now included https://github.com/fabric8io/kubernetes-client/releases/tag/v6.7.0 |
|
|
https://github.com/jenkinsci/scm-filter-jervis-plugin/ will be broken by SnakeYAML 2.0 due to how it uses Representer without being constructed with DumperOptions. I've updated the upstream library samrocketman/jervis@40b76c2 I am currently working on converting scm-filter-jervis-plugin from gradle to maven so that it can use automated plugin release. I plan to release the update for jervis to maven central once this project is onboarded to maven automatic releases. |
- Requires latest Jenkins. - Packages Jervis 1.7 (same as old version) - Update license copyright to 2023 - Convert from building with Gradle to Maven. - Update plugin for continuous automated release. - Use GMavenPlus to compile groovy. - Targets Java 1.8 bytecode. - Reduce size of plugin by relying on other Jenkins plugins instead of packaging libraries for bouncy castle and snakeyaml. - Update README and plugin docs with terminology updates for accuracy. This release is vulnerable breakage in the future by a dependency: jenkinsci/snakeyaml-api-plugin#75 See also: - https://www.jenkins.io/doc/developer/publishing/releasing-cd/
Jervis centralized all YAML usage in order to save time fixing YAML parsing. See also: - [`YamlOperator`][1]. - jenkinsci/snakeyaml-api-plugin#75 [1]: https://github.com/samrocketman/jervis/blob/jervis-2.0/src/main/groovy/net/gleske/jervis/tools/YamlOperator.groovy
|
scm-filter-jervis successfully patched. It might be worthwhile to centralize common YAML parsing operations plugins might use within this plugin to expose a plugin API for YAML. Jervis used to use snakeyaml in several classes and since centralizing it, it has been easy to react to breaking changes. |
|
I think we are good to go on this, any concerns @jtnord? |
|
the k8s plugins (this will require a bump in some consumers of this plugin) need to be updated and the maintainer is on his holidays at the moment. |
|
Superseded by #94. |
|
@olamy mentions that jenkinsci/blueocean-plugin#2472 is needed to be in a release as well |
Bumps snakeyaml from 1.33 to 2.0.
Commits
c98ffbaissue 561: add negative test casee2ca740Use Maven wrapper on github49d91a1Fix target for github19e331dDisable toolchain for github42c7812Cobertura plugin does not work03c82b5Rename GlobalTagRejectionTest to be run by Maven6e8cd89Remove coberturad9b0f48Improve Javadoc519791aRun install and site goals under docker82f33d2Merge branch 'master' into add-module-infoYou can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)