Bump snakeyaml version to 2.3 to eliminate critical CVE-2022-1471 with 1.33. Upgrade databind to enable this.

Zach Chuba · Zach Chuba · commit e0dea62739b1 · 2025-01-27T14:52:38.000-05:00
diff --git a/core/build.gradle b/core/build.gradle
@@ -63,8 +63,8 @@ tasks.japicmp {
 configurations.all {
     resolutionStrategy {
         // use lower Jackson version
-        force 'com.fasterxml.jackson.core:jackson-databind:2.8.8'
-        force 'com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.8.8'
+        force 'com.fasterxml.jackson.core:jackson-databind:2.18.2'
+        force 'com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.18.2'
     }
 }
 
@@ -100,7 +100,7 @@ dependencies {
     api 'com.github.docker-java:docker-java-transport-zerodep'
 
     shaded 'com.google.guava:guava:33.3.1-jre'
-    shaded "org.yaml:snakeyaml:1.33"
+    shaded "org.yaml:snakeyaml:2.3"
 
     shaded 'org.glassfish.main.external:trilead-ssh2-repackaged:4.1.2'
 
diff --git a/modules/k3s/build.gradle b/modules/k3s/build.gradle
@@ -6,7 +6,7 @@ dependencies {
     // https://youtu.be/otCpCn0l4Wo
     // The core module depends on jackson-databind 2.8.x for backward compatibility.
     // Any >2.8 version here is not compatible with jackson-databind 2.8.x.
-    shaded 'com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.8.8'
+    shaded 'com.fasterxml.jackson.dataformat:jackson-dataformats-text:2.18.2'
 
     testImplementation 'io.fabric8:kubernetes-client:6.13.1'
     testImplementation 'io.kubernetes:client-java:21.0.1-legacy'
