snakeyaml-2.0 for 0.5?

[rossabaker]

Would it be possible to upgrade to snakeyaml-2.0 for the 0.5 release? There's a nuisance CVE on 1.33.

One question would be how much of the rest of the SBT ecosystem might use snakeyaml-1.x dependencies. 2.x drops some deprecated methods and is not binary compatible.

[armanbilge]

We'll also need circe-yaml to make a stable release with this bump. https://github.com/circe/circe-yaml/releases/tag/v0.15.0-RC1

[rossabaker]

I wouldn't want a circe-core-0.15 triggered for this need. A circe-yaml-0.15 would be fine by me ... but I don't envy the questions that would come their way on that.

[armanbilge]

There's also now circe-yaml-v12, which uses snakeyaml-engine which I think is an independent dependency? Maybe we can make a lateral move to that 🤔

https://github.com/circe/circe-yaml#circe-yaml

[rossabaker]

Could be. It quotes the same kind of CVE with the same kind of rant, so it might not help with the original use case of hushing Dependabot, but may be good in its own right.

Does GitHub Actions formally support 1.1 or 1.2? A while back I tried to use anchors and couldn't, so I'm not sure that it's particularly compliant to any version.

[armanbilge]

I don't think this is going to happen for v0.5.0. circe-yaml hasn't made this jump, and without knowing what YAML version GHA uses I'm hesitant to make the snake engine jump either ...