-
Notifications
You must be signed in to change notification settings - Fork 43
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update snakeyaml to 2.0 #2198
Comments
Currently reddeer requires org.yaml.snakeyaml;bundle-version="1.14.0": Currrent Eclipse IDE ships 1.27 from orbit. All those versions are reported to have multiple vulnerabilities.: Would you please require snakeyaml 2.0? |
@merks Could you please help this project with setting up proper usage of maven central artifacts? |
I will look into it now. |
I'm kind of confused where the dependencies come from. I can't find a *.target file. Searching all the files doesn't even clue me in to where the dependency might be specified...
|
Instead of target file the project defines p2 sites in the pom.xml e.g. https://github.com/eclipse/reddeer/blob/master/pom.xml#L208 . |
Reddeer could use https://download.eclipse.org/oomph/simrel-orbit/2023-09 which aggregates Orbit's IBuild (currently with all the direct-from-Maven dependencies of all the SimRel projects, already PGP signed. It contains the following versions: I assume, given there is no upper bound on the dependency in the MANIFEST.MF, the build would just pick up the 2.0.0 version automatically. Of course this update site will update to minor versions "automatically", and at some point soon, this will be provided/hosted by Orbit's downloads. Okay? |
@merks @akurtakov I have prepared PR to tackle this issue. #2206. although I like the site Ed proposed. I will work that in. |
…fixes eclipse#2198 Signed-off-by: Ondrej Dockal <[email protected]>
Do you plan new release soon? It would be nice to have one so this old snakeyaml disappears through the transitive deps updates for 2023-09. |
@akurtakov we are working on new release (4.7.0): #2216 :) |
This release fixes CVE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1471 according to https://bitbucket.org/snakeyaml/snakeyaml/wiki/Changes
The text was updated successfully, but these errors were encountered: