This particular CVE saga carries on. I'm not sure what Andrey's position is anymore but he has re-opened the https://bitbucket.org/snakeyaml/snakeyaml/issues/561 he previously closed at wontfix. In any case, I feel for him, not a ton of fun. Since clj-yaml took the safe-by-default approach, I feel we are still unaffected by this particular CVE.
Then a solution for us would be to add that cve to the ignore list for nvd and relax.
Ya, that seems like a plan. Ideally, I would like someone else to confirm my conclusion that we are safe. We might also add a note to the README on this CVE as tooling will pick up the CVE in clj-yaml deps. And it looks like Andrey is going to address this in some form or other, maybe even to the satisfaction of the raisers of the CVE. 🤷 We can adjust when that happens.
I figure it’s recorded in the commit msg.
Yeah, that's a perspective for sure. How about we adjust the README if/when folks start asking.
@slipset do you agree with my theory that we are not affected?
I do
Coolio, thanks
Odd thing @slipset, I did not get emails for the vulnerability scan failure. Did you?
Yes
Hmmm... maybe if I unwatch and then rewatch all activity...
speaking of vulnerabilities https://twitter.com/borkdude/status/1600930534523170816
Love it! This channel does need all the mirth it can get! simple_smile