Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

YAML timestamps not handled properly with SnakeYaml 1.31 #32229

Closed
bclozel opened this issue Sep 5, 2022 · 7 comments
Closed

YAML timestamps not handled properly with SnakeYaml 1.31 #32229

bclozel opened this issue Sep 5, 2022 · 7 comments
Labels
status: forward-port An issue tracking the forward-port of a change made in an earlier branch type: bug A general bug
Milestone
2.7.4

Comments

@bclozel
Copy link
Member

bclozel commented Sep 5, 2022

Forward port of issue #32228 to 2.7.x.
@bclozel bclozel added status: forward-port An issue tracking the forward-port of a change made in an earlier branch type: enhancement A general enhancement labels Sep 5, 2022
@bclozel bclozel added this to the 2.7.4 milestone Sep 5, 2022
@bclozel bclozel mentioned this issue Sep 5, 2022
Closed
@bclozel bclozel closed this as completed in cca5ee8 Sep 5, 2022
@bclozel bclozel added type: bug A general bug and removed type: enhancement A general enhancement labels Sep 5, 2022
@bclozel bclozel changed the title Support for SnakeYaml 1.31 YAML timestamps not handled properly with SnakeYaml 1.31 Sep 5, 2022
@albertwangnz
Copy link

Hi @bclozel , snakeyaml released 1.32. Will Spring Boot 2.7.4 support it? Thanks.

Albert

@bclozel
Copy link
Member Author

bclozel commented Sep 17, 2022

Yes it will support it, but the default managed version will not change.

@Netyyyy Netyyyy mentioned this issue Sep 23, 2022
Closed
Closed
@fabian-froehlich
Copy link

Hi @bclozel is snakeyaml release 1.33 also supported by spring-boot 2.7.4? The changelog looks inconspicuous and our software passes alle tests. But I am not quite sure what snakeyaml really does in spring boot.

@sreekanth-tf
Copy link

sreekanth-tf commented Sep 27, 2022
edited

Hey there, May I know what kind of open source policy is preventing the spring boot from including the latest snakeyaml in its distribution? it looks like even 1.32, and 1.33 is also reported with security vulnerabilities, why can't spring-team consider a custom solution for its yaml processing?

@bclozel
Copy link
Member Author

bclozel commented Sep 27, 2022

@fabian-froehlich it's only being used for parsing your application.yml, so if your configuration is parsed and your tests pass you should be good. I've just ran our entire test suite on the main branch against this new version and everything is green.

@sreekanth-tf our upgrade policy describes the rationale here - we don't upgrade minor versions of third party dependencies in maintenance releases as this might cause behavior changes for applications. Right now, we don't feel like creating our own YAML parser is in scope for this project. Arguably, creating our own would not prevent CVEs anyway.

@bclozel
Copy link
Member Author

bclozel commented Sep 27, 2022

@sreekanth-tf this would make Jackson a required dependency for all Spring Boot applications, which is not the case right now.

@sreekanth-tf
Copy link

I got your point, thanks..... also jackson-dataformat-yaml internally depends on snakeyaml 🤣

@Netyyyy Netyyyy mentioned this issue Sep 28, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: forward-port An issue tracking the forward-port of a change made in an earlier branch type: bug A general bug
Projects
None yet
Milestone
2.7.4
Development

No branches or pull requests
4 participants
@bclozel @fabian-froehlich @sreekanth-tf @albertwangnz