Please upgrade your kaml library (0.20.0 -> 0.53.0)
rvowles opened this issue · 4 comments
There are two CVEs in the version you are using.
Thanks for the heads-up w.r.t. kaml CVEs!
This is a transitive dependency:
$ mvn dependency:tree -Dincludes=com.charleskorn.kaml
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ amazon-kinesis-client-multilang ---
[INFO] software.amazon.kinesis:amazon-kinesis-client-multilang:jar:2.4.9-SNAPSHOT
[INFO] \- software.amazon.kinesis:amazon-kinesis-client:jar:2.4.9-SNAPSHOT:compile
[INFO] \- software.amazon.glue:schema-registry-serde:jar:1.1.14:compile
[INFO] \- com.squareup.wire:wire-compiler:jar:3.7.1:compile
[INFO] \- com.charleskorn.kaml:kaml:jar:0.20.0:runtime
The latest version of wire-compiler (released 2023/04/12) is still afflicted.
Since KCL does not own/manage kaml
, I encourage you to persue one of two paths:
- (quick fix) Override the
kaml
dependency in your application(s).- Caveat emptor. The KCL team does not have ownership of
kaml
and makes no claim that this will work w/o issue.
- Caveat emptor. The KCL team does not have ownership of
- (correct fix) Pursue the claim w/
wire-compiler
to upgradekaml
, (thenschema-registry-serde
to updatewire-compiler
, then us to updateschema-registry-serde
).- It's unfortunately convoluted, but avoids the slippery slope when a library, like KCL, starts managing transitive dependencies.
- See also caveat emptor above: KCL team makes no claim the new
kaml
version is backwards-compatible, and are not responsible for ensuring its transitive inclusion or correctness.
Resolving this issue as there is no present action for KCL team. Please reopen if you disagree, or there's a path forward that we own (e.g., updating our direct dependencies).
@stair-aws the wire-compiler is in 4.5.5 - and they have merged in 0.53.0 which i expect will be in the next release. schema-registry-serde appears to be a major revision behind which will make this update somewhat more difficult? I will re-raise when they release 4.5.6
@rvowles Thanks. As this percolates up the dependencies, we/KCL look forward to the revbump!
breadcrumb: square/wire#2434