Vulnerabilities from libraries used by stil #70
Comments
|
Thanks @pahjbo you are right. This is really just a case of updating the POM, I've been using snakeyaml v2.2 in development for a while now so the snakeyaml version in the POM is an oversight, and there are no source changes required for an update of JSON-java to 20240303. I've made changes so that the next STIL release should have these versions in the POM so that the CVEs go away. I can't easily test this without actually making a release, so I will leave this issue open until the next release, when I'll try to remember to check that this has actually happened. |
|
I guessed that was probably the case - so it is fine for local use to override what the POM is saying before the next official release. |
|
Correct. BTW from what I can tell the chances of users suffering security issues based on these vulnerabilities in practice seems rather remote. |
probably but that security red light is rather binary - I only noticed it because the IDE that I use flashed up a warning at me! |
|
I believe that the JSON-java-related warnings should have gone away for the most recent central-repo release of STIL, v4.3-1. If you get the chance, can you confirm and close the issue, thanks. |
|
And a happy new year to you Mr Theduck. |
and others
looking at https://mvnrepository.com/artifact/uk.ac.starlink/stil/4.3 it is clear that there are some fairly serious security vulnerabilities in the json and yaml library dependencies - it would be good to update these (the json one is 10yrs old!)
The text was updated successfully, but these errors were encountered: