clj-yaml

lread 2023-01-03T16:49:29.314999Z

I have been monitoring the CVE-2022-1471 saga over at SnakeYAML. My understanding: Andrey's stance is that most users of SnakeYAML are fine. He labels tooling that report on CVEs as "low quality". I think he's suggesting that tooling should analyze the actual usage of SnakeYAML and raise alarms only if usage is problematic. His argument is that the "absolute majority" of usage is not problematic and that the sky is not on fire. All that said, he is making some changes in response to the CVE. I continue to see no action required on the clj-yaml side at this point.

borkdude 2023-01-03T16:50:01.929279Z

Happy new year!

🎉 1
lread 2023-01-03T16:52:16.188889Z

From the outside looking in, it seems to me being the maintainer of SnakeYAML might be a somewhat unpleasant task.

😂 1