Hi all,
I am proposing that we make the jackson-dataformat-yaml dependency optional
in our expansion service module[1]. This is because it depends on
SnakeYAML, and there is a known CVE for it[2].

It seems that given the way we use SnakeYAML, the CVE is not feasible to
exploit[2], but this will not stop tooling/user policies from being
alerted, so it may be convenient to simply make the dependency optional.

I looked around for documentation on this code path (loading an allow list
for the expansion service's classpath), but it's not very widely
documented, so this feature may only be used by Beam devs, and not much by
Beam users.

Thoughts on making the dependency optional?
Thanks!
-P.

[1] https://github.com/apache/beam/pull/25350
[2] https://github.com/snakeyaml/snakeyaml#cve

Reply via email to