diff options
| author | Charles Oliver Nutter <headius@headius.com> | 2023-01-13 02:55:52 -0600 |
|---|---|---|
| committer | Charles Oliver Nutter <headius@headius.com> | 2023-01-13 08:46:34 -0600 |
| commit | e93e44a627d781960847493a49405e014deb29b8 (patch) | |
| tree | 0edabb0b6a0a38381055d44f29046d59a5b76898 /lib | |
| parent | 3ade585cea79292247b1d68cb30fd2b4a87ef2f5 (diff) | |
| download | psych-e93e44a627d781960847493a49405e014deb29b8.tar.gz | |
Initial move to SnakeYAML Engine
See jruby/jruby#7570 for some of the justification for this move. We only
require the parser from SnakeYAML, but in the original form it is
encumbered with Java object serialization code that keeps getting
flagged as a CVE risk. We disagree with the assessment, at least
as it pertains to JRuby (we do not use the code in question) but
our inclusion of the library continues to get flagged by auditing
tools.
This commit starts the process of moving to the successor library,
SnakeYAML Engine. The parser API is largely unchanged, except as
seen in this commit. No Java exceptions are thrown, but a number
of Psych tests fail (possibly due to Engine being YAML 1.2 only).
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/psych/versions.rb | 2 | ||||
| -rw-r--r-- | lib/psych_jars.rb | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/lib/psych/versions.rb b/lib/psych/versions.rb index a592a69..38fb337 100644 --- a/lib/psych/versions.rb +++ b/lib/psych/versions.rb @@ -5,6 +5,6 @@ module Psych VERSION = '5.0.1' if RUBY_ENGINE == 'jruby' - DEFAULT_SNAKEYAML_VERSION = '1.33'.freeze + DEFAULT_SNAKEYAML_VERSION = '2.6'.freeze end end diff --git a/lib/psych_jars.rb b/lib/psych_jars.rb index e91e346..e74c25b 100644 --- a/lib/psych_jars.rb +++ b/lib/psych_jars.rb @@ -2,4 +2,4 @@ require 'psych.jar' require 'jar-dependencies' -require_jar('org.yaml', 'snakeyaml', Psych::DEFAULT_SNAKEYAML_VERSION) +require_jar('org.snakeyaml', 'snakeyaml-engine', Psych::DEFAULT_SNAKEYAML_VERSION) |