From 6c87a65fa3901b362c6f0b9e1ac8ee724b683cb0 Mon Sep 17 00:00:00 2001 From: ssrm Date: Wed, 2 Sep 2020 20:44:44 -0400 Subject: [PATCH] Bump SnakeYAML from 1.19 to 1.26 to address CVE-2017-18640 (#207) The SDK only parses YAML if the application has configured the SDK with a flag data file. It's unlikely CVE-2017-18640 would affect SDK usage as it requires configuration and access to a local file. --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index 0e9a726d2..95a1d43f4 100644 --- a/build.gradle +++ b/build.gradle @@ -76,7 +76,7 @@ ext.versions = [ "okhttp": "4.8.1", // specify this for the SDK build instead of relying on the transitive dependency from okhttp-eventsource "okhttpEventsource": "2.3.1", "slf4j": "1.7.21", - "snakeyaml": "1.19", + "snakeyaml": "1.26", "jedis": "2.9.0" ]