Fork me on GitHub
#clj-yaml
<
2023-01-03
>
lread16:01:29

I have been monitoring the CVE-2022-1471 saga over at SnakeYAML. My understanding: Andrey's stance is that most users of SnakeYAML are fine. He labels tooling that report on CVEs as "low quality". I think he's suggesting that tooling should analyze the actual usage of SnakeYAML and raise alarms only if usage is problematic. His argument is that the "absolute majority" of usage is not problematic and that the sky is not on fire. All that said, he is making some changes in response to the CVE. I continue to see no action required on the clj-yaml side at this point.

borkdude16:01:01

Happy new year!

🎉 2
lread16:01:16

From the outside looking in, it seems to me being the maintainer of SnakeYAML might be a somewhat unpleasant task.

😂 2