Is there any plan to update the version of snakeyaml to 2.0 in liquibase-core?

leorric · March 28, 2023, 7:30am

Hi,

I saw the latest version released version of liquibase-core is 4.20.0, which uses snakeyaml 1.33.
However snakeyaml 1.33 is reported to have vulnerability.

So just want to know is there any plan to fix this and if so when will the latest version be released ?
Appreciated if someone can share the timeline.

Best regards,
James You

rob.spoor · June 27, 2023, 7:32am

As long as you don’t use YAML-formatted change log files, you can simply omit the dependency. For instance, for Maven:

<dependency>
  <groupId>org.liquibase</groupId>
  <artifactId>liquibase-core</artifactId>
  <exclusions>
    <!-- Exclude SnakeYAML, as
         a) the currently used version is vulnerable, and
         b) it's only needed when YAML change log files are used
    -->
    <exclusion>
      <groupId>org.yaml</groupId>
      <artifactId>snakeyaml</artifactId>
    </exclusion>
  </exclusions>
</dependency>

danielcompton · September 4, 2023, 9:23pm

An update for anyone else searching for this, Liquibase 4.21.0 released on April 13, 2023 has SnakeYAML 2.0. release notes.

Snakeyaml 2.0 by filipelautert · Pull Request #3893 · liquibase/liquibase · GitHub.

Topic		Replies	Views
Not loading SnakeYAML? General Discussion	3	3345	June 11, 2013
Liquibase upgrade 3.4.2 to 4.21 General Discussion	5	409	July 3, 2023
Liquibase 4.17.1 is now available! News and Announcements release , 417 , 4-17-1	1	1063	October 22, 2022
Unable to run liquibase for a json or yaml change log General Discussion	4	3125	June 13, 2013
Liquibase 4.2.2 JAR CLI yaml issues General Discussion	3	5263	September 27, 2024

Is there any plan to update the version of snakeyaml to 2.0 in liquibase-core?

Related topics