From e93e44a627d781960847493a49405e014deb29b8 Mon Sep 17 00:00:00 2001
From: Charles Oliver Nutter <headius@headius.com>
Date: Fri, 13 Jan 2023 02:55:52 -0600
Subject: Initial move to SnakeYAML Engine

See jruby/jruby#7570 for some of the justification for this move. We only
require the parser from SnakeYAML, but in the original form it is
encumbered with Java object serialization code that keeps getting
flagged as a CVE risk. We disagree with the assessment, at least
as it pertains to JRuby (we do not use the code in question) but
our inclusion of the library continues to get flagged by auditing
tools.

This commit starts the process of moving to the successor library,
SnakeYAML Engine. The parser API is largely unchanged, except as
seen in this commit. No Java exceptions are thrown, but a number
of Psych tests fail (possibly due to Engine being YAML 1.2 only).
---
 Mavenfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'Mavenfile')

diff --git a/Mavenfile b/Mavenfile
index b6d2dd0..96cf7b9 100644
--- a/Mavenfile
+++ b/Mavenfile
@@ -1,6 +1,6 @@
 #-*- mode: ruby -*-
 
-jar 'org.yaml:snakeyaml:${snakeyaml.version}'
+jar 'org.snakeyaml:snakeyaml-engine:${snakeyaml.version}'
 
 plugin :dependency, '2.8', :outputFile => 'pkg/classpath'
 
-- 
cgit v1.2.1