[jira] [Commented] (CASSANDRA-18340) Bump snakeyaml from 1.26 to 2.0

Wed, 12 Apr 2023 13:59:05 -0700 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-18340?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17711562#comment-17711562
 ] 

Tatu Saloranta commented on CASSANDRA-18340:
--------------------------------------------

At very least why not go to 1.33? While it is true that last few versions have 
mostly been about small things & CVEs (... which may be big if (and only if) 
usage is applicable). But API compatibility has been good.

And if using 1.33 without calling any deprecated methods, 2.0 should actually 
be swappable by users (there are a few deprecated methods removed from 
SnakeYAML 2.x).

 

 

> Bump snakeyaml from 1.26 to 2.0
> -------------------------------
>
>                 Key: CASSANDRA-18340
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-18340
>             Project: Cassandra
>          Issue Type: New Feature
>            Reporter: Bipin Prasad
>            Assignee: Bipin Prasad
>            Priority: Normal
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> snakeyaml 1.26 has CVEs. Bump version for snakeyaml from 1.26 to 2.0
> To see the CVEs, goto 
> [https://mvnrepository.com/artifact/org.apache.cassandra/cassandra-all/4.1.0] 
> and seach for [org.yaml|https://mvnrepository.com/artifact/org.yaml] » 
> [snakeyaml|https://mvnrepository.com/artifact/org.yaml/snakeyaml] under 
> compile dependencies.Vulnerabilites are listed thusly:
>  
> Direct vulnerabilities:
> [CVE-2022-41854|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41854]
> [CVE-2022-38752|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38752]
> [CVE-2022-38751|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38751]
> [View 4 more ...|https://mvnrepository.com/artifact/org.yaml/snakeyaml/1.26#]
> Vulnerabilities from dependencies:
> [CVE-2022-22971|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22971]
> [CVE-2022-22970|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22970]
> [CVE-2022-22968|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22968]
> .............



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to