Is there any plan to update the version of snakeyaml to 2.0 in liquibase-core?

Hi,

I saw the latest version released version of liquibase-core is 4.20.0, which uses snakeyaml 1.33.
However snakeyaml 1.33 is reported to have vulnerability.

So just want to know is there any plan to fix this and if so when will the latest version be released ?
Appreciated if someone can share the timeline.

Best regards,
James You

As long as you don’t use YAML-formatted change log files, you can simply omit the dependency. For instance, for Maven:

<dependency>
  <groupId>org.liquibase</groupId>
  <artifactId>liquibase-core</artifactId>
  <exclusions>
    <!-- Exclude SnakeYAML, as
         a) the currently used version is vulnerable, and
         b) it's only needed when YAML change log files are used
    -->
    <exclusion>
      <groupId>org.yaml</groupId>
      <artifactId>snakeyaml</artifactId>
    </exclusion>
  </exclusions>
</dependency>

An update for anyone else searching for this, Liquibase 4.21.0 released on April 13, 2023 has SnakeYAML 2.0. release notes.

Snakeyaml 2.0 by filipelautert · Pull Request #3893 · liquibase/liquibase · GitHub.