lhotari opened a new pull request, #26023:
URL: https://github.com/apache/pulsar/pull/26023
### Motivation
SnakeYAML was pinned at `2.0`. This bumps it to the latest 2.x release
(`2.6`) to
stay current and pick up the per-document size-limit handling, an emoji
parsing
fix, and the performance/allocation improvements made across the 2.x line.
The entire 2.x line is binary and source compatible — the breaking changes
(such
as safe-loading by default for CVE-2022-1471) happened in the 1.x → 2.0 jump
— so
this is a maintenance refresh with no behavioral change. The parsing-limit
defaults (`codePointLimit` 3 MB, `nestingDepthLimit` 50,
`maxAliasesForCollections`
50) are unchanged since before 2.0. No CVEs were fixed between 2.1 and 2.6,
so this
is not a security fix.
SnakeYAML is a transitive dependency (via `jackson-dataformat-yaml`) that
Pulsar
pins for convergence and shades into the client and function localrun jars.
There
is no direct `org.yaml.snakeyaml` API usage in the codebase, so the change is
limited to the version pin and the bundled-jar references in the binary
LICENSE
files. Jackson 2.21.x bundles SnakeYAML 2.5; forcing 2.6 (one patch ahead,
with no
API or default-limit changes) is the convergence pin Pulsar already
maintains.
### Modifications
- Bump `snakeyaml` `2.0` → `2.6` in the Gradle version catalog
(`gradle/libs.versions.toml`).
- Update the bundled SnakeYAML jar version in the server and shell binary
LICENSE
files (`distribution/server/src/assemble/LICENSE.bin.txt`,
`distribution/shell/src/assemble/LICENSE.bin.txt`).
### Verifying this change
- [x] Make sure that the change passes the CI checks.
This change is a trivial dependency-version bump without new test coverage.
It was
verified locally as follows:
- `./gradlew :pulsar-common:dependencyInsight --dependency
org.yaml:snakeyaml`
confirms `org.yaml:snakeyaml` resolves to `2.6` (forced by the convergence
constraint, winning over Jackson's bundled 2.5).
- The server and shell distribution tarballs bundle
`org.yaml-snakeyaml-2.6.jar`
and `snakeyaml-2.6.jar` respectively, matching the updated LICENSE pins.
- `./gradlew checkBinaryLicense` passes, validating the bundled jars against
the
binary LICENSE files.
### Does this pull request potentially affect one of the following parts:
*If the box was checked, please highlight the changes*
- [x] Dependencies (add or upgrade a dependency)
- [ ] The public API
- [ ] The schema
- [ ] The default values of configurations
- [ ] The threading model
- [ ] The binary protocol
- [ ] The REST endpoints
- [ ] The admin CLI options
- [ ] The metrics
- [ ] Anything that affects deployment
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
