Karate: Update snakeyaml version to fix CVE-2017-18640
Hello,
This morning I found that the OSS Sonatype index maven plugin is failing the build of any project using karate because of CVE-2017-18640. This issue exists in snakeyaml 1.24 (the version currently used). A ticket was opened in the SnakeYAML repo and it got fixed in 1.26.
To solve this issue I suggest upgrading to 1.27, which is the latest version and doesn't seem to include any breaking changes.
Thanks!
DeGuitard
All 7 comments
@DeGuitard done thanks, release 1.0 may be a few months out but we should be able to get a 0.9.7.RC1 in a week or two
ptrthomas
on 21 Sep 2020
That was fast, thanks a lot :)
DeGuitard
on 21 Sep 2020
@DeGuitard no worries. we'll keep this open until a formal release version (just our process, reopening)
ptrthomas
on 21 Sep 2020
Anyone aware of testing using snakeyaml 1.27 with karate 0.9.5? Any issues discovered if so? Thanks
hoby1cat8
on 4 Dec 2020
@hoby1cat8 as far as I know there are no issues. the problem reported here is if any extra security checks are being run as part of a build
ptrthomas
on 4 Dec 2020
OK thanks @ptrthomas . We came across this via security scan so planning our update/testing path to resolve. Since you're going to 1.26 of snakeyaml in Karate 1.0.0 we may update/test only version 1.26 of snakeyaml with 0.9.5.
hoby1cat8
on 4 Dec 2020
@hoby1cat8 ah. thanks for the reminder, I just did a sweep of the project and upgraded all the dependencies I could. so karate 1.0 will use snakeyaml 1.27
ptrthomas
on 4 Dec 2020
Related issues
bAmrish
路
3Comments
IsaoTakahashi
路
3Comments
animomo1
路
3Comments
AyaAkl25
路
5Comments
khanguyen88
路
3Comments
Most helpful comment
@DeGuitard no worries. we'll keep this open until a formal release version (just our process, reopening)