-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade to SnakeYaml 2.0 #31594
Upgrade to SnakeYaml 2.0 #31594
Conversation
We will have to wait for Liquibase to adapt to SnakeYaml 2.0:
And also the Kubernetes Client:
/cc @manusa |
The Kubernetes Client already moved to SnakeYAML 2.5 (it's also now using SnakeYAML engine instead) thanks to @asomov
The version bump will be included in v6.5.0 planned for the end of this week. |
This is necessary for quarkusio#31594 (but not entirely sure it will be sufficient).
This is necessary for quarkusio#31594 (but not entirely sure it will be sufficient).
This is necessary for quarkusio#31594 (but not entirely sure it will be sufficient).
Failing Jobs - Building 8edf2c4
Full information is available in the Build summary check run. Failures⚙️ Gradle Tests - JDK 11 Windows #📦 integration-tests/gradle✖
✖
✖
✖
✖
✖
⚙️ JVM Tests - JDK 17 Windows #- Failing: extensions/resteasy-classic/rest-client/runtime
! Skipped: extensions/amazon-lambda-http/deployment extensions/amazon-lambda-http/http-event-server extensions/amazon-lambda-rest/deployment and 104 more 📦 extensions/resteasy-classic/rest-client/runtime✖
⚙️ Maven Tests - JDK 11 Windows #- Failing: integration-tests/maven
📦 integration-tests/maven✖
✖
|
I think the CI failures are not related to this change (but the CI situation is becoming worse and worse :/). |
@gsmet this change breaks quarkus-openapi-generator, or any other project that uses openapitools:openapi-generator, which still uses SnakeYaml 1.33. |
@hbelmiro any chance it could be fixed upstream? From my experience, you just need to use the constructor with the options parameter and it makes it work with both versions. |
@gsmet Actually what needs to update SnakeYaml is swagger-parser instead of openapi-generator. I believe this issue will affect more people due to that. Fortunately, there's a PR open to update SnakeYaml in swagger-parser. Let's wait for the release of swagger-parser and then try to update openapi-generator. Edit: one more PR that fixes the issue: swagger-api/swagger-parser#1900 |
I'm not entirely sure this is safe as it's a major version and we have several other dependencies depending on it.
I tested the Quarkus GitHub Bot which uses the Jackson YAML mapper and it seems to work so let's see how CI goes.
Note: even if we are not affected by the CVE, it's the first version fixing the high severity CVE that was ongoing with SnakeYaml so could be good for security analysis tools.
Creating as draft for now to get a full CI run.