From 0ee819b71ddab62699ab8b0ae14685d45781d28a Mon Sep 17 00:00:00 2001 From: Charles Oliver Nutter Date: Fri, 13 Jan 2023 02:55:52 -0600 Subject: [PATCH] Initial move to SnakeYAML Engine See jruby/jruby#7570 for some of the justification for this move. We only require the parser from SnakeYAML, but in the original form it is encumbered with Java object serialization code that keeps getting flagged as a CVE risk. We disagree with the assessment, at least as it pertains to JRuby (we do not use the code in question) but our inclusion of the library continues to get flagged by auditing tools. This commit starts the process of moving to the successor library, SnakeYAML Engine. The parser API is largely unchanged, except as seen in this commit. No Java exceptions are thrown, but a number of Psych tests fail (possibly due to Engine being YAML 1.2 only). --- ext/psych/lib/psych/versions.rb | 2 +- ext/psych/psych.gemspec | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ext/psych/lib/psych/versions.rb b/ext/psych/lib/psych/versions.rb index 22b909430c..1042a86d46 100644 --- a/ext/psych/lib/psych/versions.rb +++ b/ext/psych/lib/psych/versions.rb @@ -5,6 +5,6 @@ module Psych VERSION = '5.0.2' if RUBY_ENGINE == 'jruby' - DEFAULT_SNAKEYAML_VERSION = '1.33'.freeze + DEFAULT_SNAKEYAML_VERSION = '2.6'.freeze end end diff --git a/ext/psych/psych.gemspec b/ext/psych/psych.gemspec index f826af0f0e..a8ee5da028 100644 --- a/ext/psych/psych.gemspec +++ b/ext/psych/psych.gemspec @@ -55,7 +55,7 @@ DESCRIPTION "lib/psych_jars.rb", "lib/psych.jar" ] - s.requirements = "jar org.yaml:snakeyaml, #{version_module::Psych::DEFAULT_SNAKEYAML_VERSION}" + s.requirements = "jar org.snakeyaml:snakeyaml-engine, #{version_module::Psych::DEFAULT_SNAKEYAML_VERSION}" s.add_dependency 'jar-dependencies', '>= 0.1.7' else s.extensions = ["ext/psych/extconf.rb"]