Neither in Spring Boot 2.7.6 nor in 3.0.0, org.yaml.snakeyaml was upgraded to latest release 1.32 or 1.33 fixing
As this is a managed dependency, is there maybe something wrong with automated upgrade in case of snakeyaml?
We are running several services in production with Spring Boot 2.7.5 and snakeyaml 1.32 without any problems.
PS: There is still another open unfixed security bug in snakeyaml: CVE-2022-41854
Comment From: bclozel
Nothing went wrong, this is due to our upgrade policy. Duplicates #32221
Comment From: steinsag
Ok, understood for Spring Boot 2.x, but why hasn't it be upgraded for Spring Boot 3.x, which would allow breaking changes?
Comment From: bclozel
I don't understand, Spring Boot 3.0.0 depends on SnakeYaml 1.33. Which version should we upgrade to?
Comment From: steinsag
Eiks, too many repos on my side, mixed things up :-/