fix: Override snakeyaml version to fix vulnerabilities

rsenden · rsenden · commit af22f023d99d · 2023-04-07T14:44:13.000+02:00
diff --git a/build.gradle b/build.gradle
@@ -82,6 +82,11 @@ allprojects {
 			implementation 'org.hibernate:hibernate-validator-annotation-processor:6.2.5.Final'
 			implementation 'org.jsoup:jsoup:1.14.3'
 			implementation 'com.google.code.findbugs:jsr305:3.0.2'
+			// Spring Boot declares dependency on snakeyaml 1.30, which contains known 
+			// vulnerabilities. According to https://stackoverflow.com/a/75875594, our 
+			// Spring Boot version is compatible with snakeyaml 2.0, which doesn't have 
+			// any known vulnerabilities, so we override the version here.
+			implementation 'org.yaml:snakeyaml:2.0'
 		}
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -82,6 +82,11 @@ allprojects {`
`82`	`82`	`implementation 'org.hibernate:hibernate-validator-annotation-processor:6.2.5.Final'`
`83`	`83`	`implementation 'org.jsoup:jsoup:1.14.3'`
`84`	`84`	`implementation 'com.google.code.findbugs:jsr305:3.0.2'`
	`85`	`+ // Spring Boot declares dependency on snakeyaml 1.30, which contains known`
	`86`	`+ // vulnerabilities. According to https://stackoverflow.com/a/75875594, our`
	`87`	`+ // Spring Boot version is compatible with snakeyaml 2.0, which doesn't have`
	`88`	`+ // any known vulnerabilities, so we override the version here.`
	`89`	`+ implementation 'org.yaml:snakeyaml:2.0'`
`85`	`90`	`}`
`86`	`91`	`}`
`87`	`92`	`}`