SnakeYAML 2.0 deliveres backwards incompatible changes https://bitbucket.org/snakeyaml/snakeyaml/wiki/Changes

Comment From: asomov

@bclozel Spring is not affected by CVE-2022-1471, but yes the tooling should stop complaining after this PR

Comment From: bclozel

This change makes SnakeYaml 2.0+ a requirement for all Spring applications. We're scheduling this for 6.1.0 right now, but we might upgrade Spring Boot 3.1.0 to SnakeYaml 2.0 before that if the source/runtime compatibility is fine.

Comment From: zhudaxi

Any plan to apply this fix to Spring Boot 2.x version? Thanks.

Comment From: asomov

@bclozel I can also contribute a PR to Spring Boot

Comment From: oreissig

Is it possible to update the code such that Spring only uses a subset of snakeyaml, that is not affected by backwards-incompatible changes? If so, we could leave older versions on their currently used version of snakeyaml, while allowing consumers to override to 2.0 if desired.

Comment From: bclozel

@zhudaxi that's a question for the Spring Boot team, I believe they're looking into it already.

@asomov I don't think a PR is needed, the team is already looking into it.

@oreissig yes that's our goal.

Comment From: asomov

this PR fixes failing YamlProcessorTests

Comment From: patpatpat123

Hello team,

Sorry to ask, but in this https://github.com/spring-projects/spring-boot/issues/33457 which is now closed, it seems the issue is fixed and SpringBoot should be using SnakeYAML 2.0. However, from this PR, which is still opened, it seems it is not merged.

Therefore, I am a little bit confused, as I am still seeing this CVE in my SpringBoot project.

Thank you

Comment From: philwebb

@patpatpat123 This issue is about upgrading to SnakeYAML 2.0 in Spring Framework 6.1.

Spring Boot 2.7.10 and above are compatible with SnakeYAML 2.0, but do not ship with it by default. You can override the version in your own project if you wish to upgrade.

Comment From: patpatpat123

Understood @philwebb , many thanks for the clarification.

Comment From: XSpielinbox

Spring Boot 3.1.0 unfortunately does not ship SnakeYAML 2.0. So this will land in Spring Framework 6.1 on the 14th of June then?

What version of Spring Boot is estimated to include this change?

Comment From: snicoll

You don’t need this change. Please review the history where Phil said we are already compatible and you can upgrade if you want to.

Comment From: XSpielinbox

For sure, I know that and already did that. Nevertheless I am interested in when the default changes as I can then drop my overrides.

Comment From: spencergibb

You can see it has been assigned to the 6.1.0-M1 milestone which is due by Due by June 2023. GA release later in the autumn.

Comment From: davidghiurco

Are there any plans to backport the SnakeYAML 2.0+ upgrade into Spring Boot 2.7.x, for those unable to migrate to Spring Boot 3.x?

Comment From: bclozel

@davidghiurco Spring Boot 2.7.x is out of open source support.