Please upgrade to the latest SnakeYAML in spring-boot-dependencies since current 2.7.x branch uses snakeYAML 1.30 that has a "High" rated vulnerability report.
-See https://ossindex.sonatype.org/component/pkg:maven/org.yaml/snakeyaml@1.30
Comment From: wilkinsona
Duplicates https://github.com/spring-projects/spring-boot/issues/32221.
We won't upgrade to a new minor SnakeYAML in a maintenance release of Spring Boot. If you're using SnakeYAML to parse untrusted input (which is unlikely in a Spring Boot application), you can use snakeyaml.version to upgrade.
Comment From: Subrhamanya
@wilkinsona Does that mean 2.7.x successive version of spring boot doesn't upgrade SnakeYAML to 1.33 ?
Comment From: wilkinsona
Yes.
Comment From: Subrhamanya
In which version of spring boot can we expect that?
Comment From: wilkinsona
We have already upgraded in 3.0.
Comment From: Subrhamanya
Was 3.0 stable released? I see milestone releases of it.
Comment From: wilkinsona
This isn't the right place for this sort of back and forth. You can find answers to all of these questions by searching issues or reviewing the milestone page.
Comment From: Subrhamanya
Yeah sure @wilkinsona thanks.
Comment From: alike-everc
Is it safe to manually upgrade snakeyaml to v1.33 when using spring-boot 2.7.16?
Comment From: wilkinsona
@alike-everc Please read this issue and the others to which it links. I believe your question has already been answered.