Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade to SnakeYAML 2.0 #30048

Closed
wants to merge 3 commits into from
Closed

Upgrade to SnakeYAML 2.0 #30048

wants to merge 3 commits into from

Conversation

asomov
Copy link
Contributor

@asomov asomov commented Feb 28, 2023

SnakeYAML 2.0 deliveres backwards incompatible changes
https://bitbucket.org/snakeyaml/snakeyaml/wiki/Changes

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged or decided on label Feb 28, 2023
@bclozel bclozel mentioned this pull request Feb 28, 2023
Closed
@asomov
Copy link
Contributor Author

asomov commented Feb 28, 2023

@bclozel Spring is not affected by CVE-2022-1471, but yes the tooling should stop complaining after this PR

@bclozel bclozel added type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged or decided on labels Feb 28, 2023
@bclozel bclozel added this to the 6.1.0-M1 milestone Feb 28, 2023
@bclozel
Copy link
Member

bclozel commented Feb 28, 2023

This change makes SnakeYaml 2.0+ a requirement for all Spring applications. We're scheduling this for 6.1.0 right now, but we might upgrade Spring Boot 3.1.0 to SnakeYaml 2.0 before that if the source/runtime compatibility is fine.

@zhudaxi
Copy link

zhudaxi commented Feb 28, 2023

Any plan to apply this fix to Spring Boot 2.x version? Thanks.

@asomov
Copy link
Contributor Author

asomov commented Mar 1, 2023

@bclozel I can also contribute a PR to Spring Boot

@oreissig
Copy link

oreissig commented Mar 1, 2023

Is it possible to update the code such that Spring only uses a subset of snakeyaml, that is not affected by backwards-incompatible changes?
If so, we could leave older versions on their currently used version of snakeyaml, while allowing consumers to override to 2.0 if desired.

@sbrannen sbrannen added the in: core Issues in core modules (aop, beans, core, context, expression) label Mar 1, 2023
@bclozel
Copy link
Member

bclozel commented Mar 1, 2023

@zhudaxi that's a question for the Spring Boot team, I believe they're looking into it already.

@asomov I don't think a PR is needed, the team is already looking into it.

@oreissig yes that's our goal.

@wilkinsona wilkinsona mentioned this pull request Mar 1, 2023
Closed
@strehle strehle mentioned this pull request Mar 1, 2023
Merged
@asomov
Copy link
Contributor Author

asomov commented Mar 7, 2023
edited

this PR fixes failing YamlProcessorTests

@jhoeller jhoeller changed the title SnakeYAML 2.0 is released Upgrade to SnakeYAML 2.0 Mar 7, 2023
@jhoeller jhoeller added type: dependency-upgrade A dependency upgrade and removed type: enhancement A general enhancement labels Mar 7, 2023
@wilkinsona wilkinsona mentioned this pull request Mar 21, 2023
Closed
@linghengqian linghengqian mentioned this pull request Mar 31, 2023
Closed
@patpatpat123

This comment was marked as outdated.

Sign in to view
@philwebb

This comment was marked as outdated.

Sign in to view
@patpatpat123

This comment was marked as outdated.

Sign in to view
@zhfeng zhfeng mentioned this pull request May 8, 2023
Closed
@Ginxo Ginxo mentioned this pull request May 10, 2023
Closed
@XSpielinbox

This comment was marked as outdated.

Sign in to view
@snicoll

This comment was marked as outdated.

Sign in to view
@XSpielinbox

This comment was marked as outdated.

Sign in to view
@spencergibb

This comment was marked as outdated.

Sign in to view
@nidhi-nair nidhi-nair mentioned this pull request May 22, 2023
Merged
@bclozel bclozel self-assigned this May 22, 2023
@bclozel bclozel closed this in 097758b May 22, 2023
bclozel added a commit that referenced this pull request May 22, 2023
@bclozel
Polish SnakeYAML 2.0 upgrade
40543e0 
See gh-30048
@asomov asomov deleted the snake-2-0 branch May 22, 2023 13:03
@AB-xdev AB-xdev mentioned this pull request May 26, 2023
Closed
nidhi-nair added a commit to appsmithorg/appsmith that referenced this pull request Jun 8, 2023
@nidhi-nair @mohanarpit @sharat87
chore: Upgraded Snake YAML version to 2.0 (#23572)
6e7c293 
## Description
Upgrades SnakeYaml dependency version forcefully to 2.0 to overcome
[this
issue](spring-projects/spring-boot#33457), as
advised
[here](spring-projects/spring-boot#34405 (comment)).

This version tag can be reverted when we upgrade to Spring 6.1, which is
when the library
[aims](spring-projects/spring-framework#30048 (comment))
to upgrade the version themselves.

Fixes appsmithorg/appsmith-ee#1233

#### Type of change
- Chore (housekeeping or task changes that don't impact user perception)

## Testing
This PR will be tested during regression.

---------

Co-authored-by: Arpit Mohan <mohanarpit@users.noreply.github.com>
Co-authored-by: Shrikant Sharat Kandula <shrikant@appsmith.com>
mdeinum pushed a commit to mdeinum/spring-framework that referenced this pull request Jun 29, 2023
@asomov @mdeinum
Upgrade to SnakeYAML 2.0
d341987 
This commit raises the SnakeYAML baseline version to 2.0.
While most Spring applications are not affected by CVE-2022-1471,
upgrading this version should prevent automated tools from raising this
as a security issue. Such tools usually do not understand that YAML
parsing in Spring is about reading configuration, not parsing untrusted
content.

Closes spring-projectsgh-30048
mdeinum pushed a commit to mdeinum/spring-framework that referenced this pull request Jun 29, 2023
@bclozel @mdeinum
Polish SnakeYAML 2.0 upgrade
fb6b36e 
See spring-projectsgh-30048
@ThorbenLindhauer ThorbenLindhauer mentioned this pull request Jul 4, 2023
Closed
1 task
@linghengqian linghengqian mentioned this pull request Jul 13, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@bclozel bclozel

Labels
in: core Issues in core modules (aop, beans, core, context, expression) type: dependency-upgrade A dependency upgrade
Projects
None yet
Milestone
6.1.0-M1
Development

Successfully merging this pull request may close these issues.

None yet