Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

snakeyaml-2.0 for 0.5? #500

Open
rossabaker opened this issue May 2, 2023 · 5 comments
Open

snakeyaml-2.0 for 0.5? #500

rossabaker opened this issue May 2, 2023 · 5 comments

Comments

@rossabaker
Copy link
Member

Would it be possible to upgrade to snakeyaml-2.0 for the 0.5 release? There's a nuisance CVE on 1.33.

One question would be how much of the rest of the SBT ecosystem might use snakeyaml-1.x dependencies. 2.x drops some deprecated methods and is not binary compatible.

@armanbilge armanbilge added this to the v0.5.0 milestone May 2, 2023
@armanbilge
Copy link
Member

We'll also need circe-yaml to make a stable release with this bump.
https://github.com/circe/circe-yaml/releases/tag/v0.15.0-RC1

@rossabaker
Copy link
Member Author

I wouldn't want a circe-core-0.15 triggered for this need. A circe-yaml-0.15 would be fine by me ... but I don't envy the questions that would come their way on that.

@armanbilge
Copy link
Member

There's also now circe-yaml-v12, which uses snakeyaml-engine which I think is an independent dependency? Maybe we can make a lateral move to that 🤔

https://github.com/circe/circe-yaml#circe-yaml

@rossabaker
Copy link
Member Author

Could be. It quotes the same kind of CVE with the same kind of rant, so it might not help with the original use case of hushing Dependabot, but may be good in its own right.

Does GitHub Actions formally support 1.1 or 1.2? A while back I tried to use anchors and couldn't, so I'm not sure that it's particularly compliant to any version.

@armanbilge armanbilge linked a pull request Jun 18, 2023 that will close this issue
@armanbilge
Copy link
Member

I don't think this is going to happen for v0.5.0. circe-yaml hasn't made this jump, and without knowing what YAML version GHA uses I'm hesitant to make the snake engine jump either ...

@armanbilge armanbilge removed this from the v0.5.0 milestone Jun 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants