Snakeyaml 1.33 vulnerability

[khaeghar]

Hi,

I was wondering if there's any plan on upgrading the snakeyaml version from 1.33 to 2.x, since 1.33 contains a vulnerability.

Kind regards!

[onobc]

Hi @khaeghar

We have no current plans to bump to 2.x as the changes would ripple through Spring Boot. Once Boot updates, we likely will too. In the meantime, the CVE does not affect dataflow as we have mitigated the flaws. Please see https://github.com/spring-cloud/spring-cloud-dataflow/security/advisories/GHSA-578p-phm8-hcj9