New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
YAML timestamps not handled properly with SnakeYaml 1.31 #32229
Comments
Hi @bclozel , snakeyaml released 1.32. Will Spring Boot 2.7.4 support it? Thanks. Albert |
Yes it will support it, but the default managed version will not change. |
Hi @bclozel is snakeyaml release 1.33 also supported by spring-boot 2.7.4? The changelog looks inconspicuous and our software passes alle tests. But I am not quite sure what snakeyaml really does in spring boot. |
Hey there, May I know what kind of open source policy is preventing the spring boot from including the latest snakeyaml in its distribution? it looks like even 1.32, and 1.33 is also reported with security vulnerabilities, why can't spring-team consider a custom solution for its yaml processing? |
@fabian-froehlich it's only being used for parsing your @sreekanth-tf our upgrade policy describes the rationale here - we don't upgrade minor versions of third party dependencies in maintenance releases as this might cause behavior changes for applications. Right now, we don't feel like creating our own YAML parser is in scope for this project. Arguably, creating our own would not prevent CVEs anyway. |
@sreekanth-tf this would make Jackson a required dependency for all Spring Boot applications, which is not the case right now. |
I got your point, thanks..... also jackson-dataformat-yaml internally depends on snakeyaml 🤣 |
Forward port of issue #32228 to 2.7.x.
The text was updated successfully, but these errors were encountered: