Update SnakeYAML to 1.29 (was 1.25: vulnerable to "billion laughs")

Kudos to Noriko Totsuka of @JPCERTCC (and also the author of the vulnerability report, Taichi Kotake of Akatsuki Inc.) for reporting the "billion laughs" vulnerability in SnakeYAML 1.25 (that the JVM build of Kaitai Struct compiler has been using so far) to us. Note: I am deliberately not updating to the latest version 1.30 because it contains a suspicious regular expression, see https://bitbucket.org/snakeyaml/snakeyaml/issues/537/potentially-problematic-regular-expression. At least until someone proves it's safe under all circumstances, or fixes it to a 100% harmless version as I suggest, I won't be using any newer version than 1.29 unless I know it's safe.
kaitai-io · Jul 6, 2022 · 50f80d7 · 50f80d7
1 parent 89c42f3
commit 50f80d7
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/build.sbt b/build.sbt
@@ -58,7 +58,7 @@ lazy val compiler = crossProject.in(file(".")).
     libraryDependencies ++= Seq(
       "com.github.scopt" %%% "scopt" % "3.6.0",
       "com.lihaoyi" %%% "fastparse" % "1.0.0",
-      "org.yaml" % "snakeyaml" % "1.25"
+      "org.yaml" % "snakeyaml" % "1.29"
     )
   ).
   jvmSettings(