Bump snakeyaml from 1.28 to 1.31 to resolve CVE-2022-25857 #574
Conversation
Resolves CVE-2022-25857, among other fixes.
|
@chadlwilson /cc @headius Should we release a new version with this? |
|
From my personal perspective this would be great, hopefully for inclusion in Jruby 9.3.8.0 (and arguably JRuby 9.2.22.0) I'm not sure how to interpret the failing builds, or how to help with the cherry-picking or PRs for branches, but happy to assist where I can. Additionally, I am not sure within JRuby usage whether there is a canonical way for folks to override/increase the nesting limit via |
|
Looking into this today. The failures may be simple changes in SnakeYAML that are still valid but not within expectations. |
|
@hsbt @tenderlove @chadlwilson The failures in this PR's GHA run do not appear to be related to SnakeYAML at all. They appear to reflect a regression in CRuby HEAD. All the JRuby builds and released CRuby builds pass. I cannot comment on exactly why the CRuby HEAD builds fail now, but they also fail for me locally without this PR. I believe the PR is a good change and should be merged and released ASAP. |
|
Thank you for doing this @hsbt ! I believe JRuby 9.3 depends on Psych 3.x - are you able to cut a similar release for 3.3.x branch? |
|
I'll work it at this night if it's easily to backport. |
|
Ahh, sorry - my bad. I misread commit history and thought this has already been cherrypicked to 3.3.x but not released. Raised #575 - hope it helps. |
|
@chadlwilson That's great, thank you! JRuby 9.3 could perhaps upgrade, but as long as 3.3.x is supported we'd prefer to keep it stable. @hsbt Whenever we can get #575 merged and into a 3.3.x release, let me know and I will upgrade JRuby 9.3! |
Resolves CVE-2022-25857 within snakeyaml, among other fixes.
Suggest cherrypick to 4-0-stable and any other maintained versions.
Additional context