Starlink
Vulnerabilities from libraries used by stil
looking at https://mvnrepository.com/artifact/uk.ac.starlink/stil/4.3 it is clear that there are some fairly serious security vulnerabilities in the json and yaml library dependencies - it would be good to update these (the json one is 10yrs old!)
Thanks @pahjbo you are right. This is really just a case of updating the POM, I've been using snakeyaml v2.2 in development for a while now so the snakeyaml version in the POM is an oversight, and there are no source changes required for an update of JSON-java to 20240303. I've made changes so that the next STIL release should have these versions in the POM so that the CVEs go away. I can't easily test this without actually making a release, so I will leave this issue open until the next release, when I'll try to remember to check that this has actually happened.
I guessed that was probably the case - so it is fine for local use to override what the POM is saying before the next official release.
Correct. BTW from what I can tell the chances of users suffering security issues based on these vulnerabilities in practice seems rather remote.
Correct. BTW from what I can tell the chances of users suffering security issues based on these vulnerabilities in practice seems rather remote.
probably but that security red light is rather binary - I only noticed it because the IDE that I use flashed up a warning at me!
I believe that the JSON-java-related warnings should have gone away for the most recent central-repo release of STIL, v4.3-1. If you get the chance, can you confirm and close the issue, thanks.