fix: Override snakeyaml version to fix vulnerabilities

fortify · Apr 7, 2023 · af22f02 · af22f02
1 parent 26cde1b
commit af22f02
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/build.gradle b/build.gradle
@@ -82,6 +82,11 @@ allprojects {
 			implementation 'org.hibernate:hibernate-validator-annotation-processor:6.2.5.Final'
 			implementation 'org.jsoup:jsoup:1.14.3'
 			implementation 'com.google.code.findbugs:jsr305:3.0.2'
+			// Spring Boot declares dependency on snakeyaml 1.30, which contains known 
+			// vulnerabilities. According to https://stackoverflow.com/a/75875594, our 
+			// Spring Boot version is compatible with snakeyaml 2.0, which doesn't have 
+			// any known vulnerabilities, so we override the version here.
+			implementation 'org.yaml:snakeyaml:2.0'
 		}
 	}
 }