Hi Jose- Yes, you would need to update the feature file (or other deployment approach) that references that and override it there. If your project does not use snakeyaml, you may be able to safely remove it. Snakeyaml is most likely being pulled in by the JSON support features cxf-jaxrs-jackson (or similar).
Keep in mind, newer patched dependency libraries are starting to require JDK 11 (and possibly JDK 17, since JDK 11 is also nearing end-of-life). You are probably starting down a path that involves more than upgrading just the single snakeyaml library. Thanks Matt Pavlovich > On Apr 16, 2025, at 1:34 PM, jose.garn...@toshibagcs.com wrote: > > Karaf folks, > > We have a Project with Karaf 4.2.16 and java 8, in the project is used the > CXF features and looks like this is including the snakeyaml 1.33, we want to > remove or upgrade it to avoid getting the CVE-2022-1471 vulnerability > > > > In Karaf exist a way to solve this? > > > Just FYI , this is the library > <!-- https://mvnrepository.com/artifact/org.yaml/snakeyaml --> > <dependency> > <groupId>org.yaml</groupId> > <artifactId>snakeyaml</artifactId> > <version>2.0</version> > </dependency>
