refactor(dependency): unpin snakeyaml and upgrade logback with spring…

… boot upgrade to 3.x Spring boot 3.0.13 brings snakeyaml 1.33 and logback 1.4.11. So, upgrading and pinning logback to 1.4.14, till spring boot >=3.1.7, as more secure version.
spinnaker · Feb 18, 2025 · 3ce7b74 · 3ce7b74
1 parent d13c530
commit 3ce7b74
Showing 1 changed file with 2 additions and 23 deletions.
diff --git a/spinnaker-dependencies/spinnaker-dependencies.gradle b/spinnaker-dependencies/spinnaker-dependencies.gradle
@@ -15,10 +15,10 @@ ext {
     groovy           : "4.0.15",
     jsch             : "0.1.54",
     jschAgentProxy   : "0.0.9",
-    // spring boot 3.0.13 specifies logback 1.4.11.  Pin to 1.2.13 to resolve
+    // spring boot 3.0.13 specifies logback 1.4.11.  Pin to 1.4.14 to resolve
     // CVE-2023-6378 and CVE-2023-6481 until spring boot 3.1.7 which brings in
     // 1.4.14.  See https://logback.qos.ch/news.html#1.3.12.
-    logback          : "1.2.13",
+    logback          : "1.4.14",
     protobuf         : "3.25.2",
     openapi          : "1.8.0",
     retrofit         : "1.9.0",
@@ -160,28 +160,7 @@ dependencies {
     }
     api("org.objenesis:objenesis:2.5.1")
     api("org.pf4j:pf4j:3.10.0")
-    // pf4j:3.10.0 brings in slf4j-api:2.0.6 which is not compatible with logback 1.2.x.
-    // And the upgraded logback version(1.3.8) is becoming incompatible with SpringBoot's LogbackLoggingSystem:
-    // java.lang.NoClassDefFoundError at LogbackLoggingSystem.java:293
-    // Hence pinning slf4j-api at 1.7.36 which spring boot 2.7.18 brings in.
-    api("org.slf4j:slf4j-api"){
-      version {
-        strictly("1.7.36")
-      }
-    }
     api("org.pf4j:pf4j-update:2.3.0")
-
-    // Spring boot 2.7.18 brings in snakeyaml 1.30, which fails to parse yaml (including some
-    // k8s manifests).  See https://github.com/spring-projects/spring-boot/issues/30159#issuecomment-1125969155.
-    // It's safe to upgrade beyond 1.29 with spring boot >= 2.6.12 (see
-    // https://github.com/spring-projects/spring-boot/issues/32228#issue-136185850.0). However,
-    // snakeyaml 1.32 has a feature to restrict the size of incoming data to 3
-    // MB by default, and spring boot versions < 3.0.7 are not equipped to
-    // modify this limit.  Use 1.31 in order to avoid file size limitation till
-    // upgrade >= 3.0.7 and to resolve CVE-2022-25857 and CVE-2022-38749.  See
-    // https://bitbucket.org/snakeyaml/snakeyaml/issues/547/restrict-the-size-of-incoming-data
-    // and https://bitbucket.org/snakeyaml/snakeyaml/pull-requests/22.
-    api("org.yaml:snakeyaml:1.31")
     api("org.springdoc:springdoc-openapi-webmvc-core:${versions.openapi}")
     api("org.springdoc:springdoc-openapi-kotlin:${versions.openapi}")
     api("org.springdoc:springdoc-openapi-ui:${versions.openapi}")