Can you update to snakeyaml 2.0?

[pcreager23]

@cowtowncoder, @pjfanning, et al,
I've seen the info that FasterXML is not in fact affected by the CVE-2022-1471 bug in snakeyaml, however several scanners still flag FasterXML since it contains the pre-patched version 1.33 of snakeyaml.

So could you please upgrade to snakeyaml 2.0 (just released) to quiet these scanners?

Thank you in advance from those of us in the trenches in Corporate IT!

[pjfanning]

Have you checked the latest code? This change is already done.

[pcreager23]

Awesome, thanks! If only all FOSS devs were on top on things like this.

And no, I didn't see it here:

What is New?
Nov 2, 2022:

(Now, on to dropwizard...)

[cowtowncoder]

@pcreager23 Like @pjfanning said, 2.15 will have snakeyaml dependency, and 2.14.x works with it.

Just one caveat: I think 2.14.2 is the version that works; 2.14.0 and 2.14.1 were (I think) using a constructor deprecated in latest 1.x versions of snakeyaml, one removed from 2.0.
I am not 100% sure if there was a backport in 2.13; one challenge being that keeping balance b/w dependency version gets very difficult when libraries add new methods in order to remove older ones (so range of acceptable substitutions shrinks).

Change itself is this one:

FasterXML/jackson-dataformats-text#370

if anyone wants to dig deeper, wrt possible backport (I don't remember when the replacement method was added in SnakeYAML)