Upgrading SnakeYAML and Spring Boot to address CVE-2022-1471 (!16) · Merge requests · OSDU Software / OSDU Data Platform / System / Lib / cloud / gcp / OS Test Core Lib GC

David Diederich requested to merge upgrade-snakeyaml into master Apr 07, 2023

This upgrades the SnakeYAML dependency to be version 2.0, addressing a critical security vulnerability (CVE-2022-1471).

It required explicitly setting the dependency rather than allowing it to be inherited from Spring Boot.

I also upgrade Spring Boot to 2.7.10, because it was incompatible in obm!46 (merged), oqm!25 (merged), and osm!43 (merged); even though it wasn't failing the pipeline here.

Edited Apr 07, 2023 by David Diederich

Upgrading SnakeYAML and Spring Boot to address CVE-2022-1471