Hi all, I am proposing that we make the jackson-dataformat-yaml dependency optional in our expansion service module[1]. This is because it depends on SnakeYAML, and there is a known CVE for it[2].
It seems that given the way we use SnakeYAML, the CVE is not feasible to exploit[2], but this will not stop tooling/user policies from being alerted, so it may be convenient to simply make the dependency optional. I looked around for documentation on this code path (loading an allow list for the expansion service's classpath), but it's not very widely documented, so this feature may only be used by Beam devs, and not much by Beam users. Thoughts on making the dependency optional? Thanks! -P. [1] https://github.com/apache/beam/pull/25350 [2] https://github.com/snakeyaml/snakeyaml#cve