Details
-
Task
-
Resolution: Won't Do
-
L3 - Default
-
None
-
None
-
Not defined
Description
We currently have a dependency on https://github.com/FasterXML/jackson-dataformat-yaml
However, this is no longer supported and pulls in a dependency of snakeyaml that has a security vulnerability. While we don't believe this vulnerability affects us, we should still migrate to using a library that is being actively supported: https://github.com/FasterXML/jackson-dataformats-text
If the migration is complex, an acceptable solution for the short term might also be to pin the snakeyaml version used by the existing library to one that does not contain the vulnerability (>=1.31)