-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
liquibase-core 4.23.0 still refer to snakeyaml:1.33 #4466
Comments
Hi @faris-git
And the pom file in master points to 2.0 liquibase/liquibase-standard/pom.xml Line 145 in 286a188
And here's the PR that bumped it. Can you provide more details? |
I am having the same issue as above, is there a solution for this issue. It was causing a lot of security related concerns with the use of this package. |
Hi I'm not able to reproduce this issue. I tried with java 8,11,17,20 using maven 3.8.7, 3.9.1, 3.9.2 and 3.9.3. Output is always as
My pom.xml:
Maybe I am missing something? |
I still have the same problem and I found the sample to reproduce: Here is the pom.xml
Run
Hope this helps |
The workaround is by adding explicitly new snakeyaml version in pom.xml
I won't recommend this solution. But just to get rid of security issue. I need to do this. |
@faris-git thanks for the feedback! So the problem may be happening because Springboot latest release still depending on Liquibase 4.20.0 that depends on Snakeyaml 1.33 . Meanwhile forcing Snakeyaml v2 as you did would be the best workaround. |
The issue still there. I've checked with new spring-boot 3.1.3 and liquibase-core: 4.23.1 pom.xml
And
Still I see referring to snakeyaml:1.33 |
Search first
Description
We use liquibase-core:4.23.0 version in our project. And my dependency:tree shows that snakeyaml:1.33. But liquibase-core:4.23.0 manifest shows 2.0.3.
Downloaded from maven central:
Downloaded from central: https://repo.maven.apache.org/maven2/org/liquibase/liquibase-core/4.23.0/liquibase-core-4.23.0.jar
Please see the dependency:tree map of my maven project.
Important: snakeyaml 1.33 is subjected to security vulnerability. See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1471
Steps To Reproduce
in pom.xml -> add liquibase-core as your dependency:
And run `mvn dependency:tree``
Expected/Desired Behavior
org.yaml:snakeyaml:2.0
Liquibase Version
4.23.0
Database Vendor & Version
No response
Liquibase Integration
No response
Liquibase Extensions
No response
OS and/or Infrastructure Type/Provider
No response
Additional Context
Spring-boot: 3.1.2
Are you willing to submit a PR?
The text was updated successfully, but these errors were encountered: