chore(deps): specify version 1.29 of org.yaml:snakeyaml to stay partially up to date

[dbyron-sf]

It would be nice to jump all the way to 1.33 to get all the way up to date, and to resolve these CVEs:

CVE-2022-25857 (1.31), CVE-2022-38749 (1.31), CVE-2022-38750 (1.31), CVE-2022-38751 (1.32) and CVE-2022-38752 (1.32).

However, spring-projects/spring-boot#32228 (comment) says to stick with 1.29 until >= 2.6.12, as the commit that resolved that issue went in to 2.6.12.

Note that spring boot 2.4.13 brings in version 1.27 (see https://repo.maven.apache.org/maven2/org/springframework/boot/spring-boot-dependencies/2.4.13/spring-boot-dependencies-2.4.13.pom).

2.5.14 brings in 1.28 (see https://repo.maven.apache.org/maven2/org/springframework/boot/spring-boot-dependencies/2.5.14/spring-boot-dependencies-2.5.14.pom)
2.6.13 brings in 1.29 (see https://repo.maven.apache.org/maven2/org/springframework/boot/spring-boot-dependencies/2.6.13/spring-boot-dependencies-2.6.13.pom)
2.7.5 brings in 1.30 (see https://repo.maven.apache.org/maven2/org/springframework/boot/spring-boot-dependencies/2.7.5/spring-boot-dependencies-2.7.5.pom)

Note also that snakeyaml 1.32 introduces a default 3MB limit (see https://bitbucket.org/snakeyaml/snakeyaml/pull-requests/22). If, for example, clouddriver-local.yml is bigger than that, perhaps due to a large number of accounts, clouddriver fails to start.

[jasonmcintosh]

Do we NEED to set it or is spring transitively going to bring in the right dep versions? AKA can that whole constraint be removed?

[dbyron-sf]

Do we NEED to set it or is spring transitively going to bring in the right dep versions? AKA can that whole constraint be removed?

I figure 1.29 is an improvement over what spring boot 2.4.13 brings in, so for that we need to set it. Once we upgrade spring boot enough, we can remove it.