Forward port of issue #32228 to 2.7.x.
Comment From: albertwangnz
Hi @bclozel , snakeyaml released 1.32. Will Spring Boot 2.7.4 support it? Thanks.
Albert
Comment From: bclozel
Yes it will support it, but the default managed version will not change.
Comment From: fabian-froehlich
Hi @bclozel is snakeyaml release 1.33 also supported by spring-boot 2.7.4? The changelog looks inconspicuous and our software passes alle tests. But I am not quite sure what snakeyaml really does in spring boot.
Comment From: sreekanth-tf
Hey there, May I know what kind of open source policy is preventing the spring boot from including the latest snakeyaml in its distribution? it looks like even 1.32, and 1.33 is also reported with security vulnerabilities, why can't spring-team consider a custom solution for its yaml processing?
Comment From: bclozel
@fabian-froehlich it's only being used for parsing your application.yml, so if your configuration is parsed and your tests pass you should be good. I've just ran our entire test suite on the main branch against this new version and everything is green.
@sreekanth-tf our upgrade policy describes the rationale here - we don't upgrade minor versions of third party dependencies in maintenance releases as this might cause behavior changes for applications. Right now, we don't feel like creating our own YAML parser is in scope for this project. Arguably, creating our own would not prevent CVEs anyway.
Comment From: bclozel
@sreekanth-tf this would make Jackson a required dependency for all Spring Boot applications, which is not the case right now.
Comment From: sreekanth-tf
I got your point, thanks..... also jackson-dataformat-yaml internally depends on snakeyaml :rofl: