Bump up snakeyaml to 1.31 for fixing CVE-2022-25857 (#9567)
diff --git a/apm-webapp/pom.xml b/apm-webapp/pom.xml
index 2a8cb40..9eb5757 100644
--- a/apm-webapp/pom.xml
+++ b/apm-webapp/pom.xml
@@ -38,7 +38,7 @@
<frontend-maven-plugin.version>1.12.1</frontend-maven-plugin.version>
<logback-classic.version>1.2.11</logback-classic.version>
<jackson-version>2.13.2.2</jackson-version>
- <yaml.version>1.28</yaml.version>
+ <yaml.version>1.31</yaml.version>
<netty.version>4.1.77.Final</netty.version>
<ui.path>${project.parent.basedir}/skywalking-ui</ui.path>
diff --git a/dist-material/release-docs/LICENSE b/dist-material/release-docs/LICENSE
index 1c0f0f7..4a54d6a 100755
--- a/dist-material/release-docs/LICENSE
+++ b/dist-material/release-docs/LICENSE
@@ -395,7 +395,7 @@
https://mvnrepository.com/artifact/org.springframework.security/spring-security-crypto/5.6.3 Apache-2.0
https://mvnrepository.com/artifact/org.springframework.security/spring-security-rsa/1.0.10.RELEASE Apache-2.0
https://mvnrepository.com/artifact/org.xerial.snappy/snappy-java/1.1.7.3 Apache-2.0
- https://mvnrepository.com/artifact/org.yaml/snakeyaml/1.28 Apache-2.0
+ https://mvnrepository.com/artifact/org.yaml/snakeyaml/1.31 Apache-2.0
https://npmjs.com/package/typescript/v/4.4.4 4.4.4 Apache-2.0
========================================================================
@@ -543,7 +543,7 @@
The following components are provided under the MIT License. See project link for details.
The text of each license is also included in licenses/LICENSE-[project].txt.
- https://npmjs.com/package/@babel/parser/v/7.18.13 7.18.13 MIT
+ https://npmjs.com/package/@babel/parser/v/7.19.0 7.19.0 MIT
https://npmjs.com/package/@ctrl/tinycolor/v/3.4.0 3.4.0 MIT
https://npmjs.com/package/@egjs/hammerjs/v/2.0.17 2.0.17 MIT
https://npmjs.com/package/@element-plus/icons-vue/v/0.2.7 0.2.7 MIT
diff --git a/docs/en/changes/changes.md b/docs/en/changes/changes.md
index 85a81c6..49d72f6 100644
--- a/docs/en/changes/changes.md
+++ b/docs/en/changes/changes.md
@@ -7,11 +7,13 @@
* Add component ID(133) for impala JDBC Java agent plugin and component ID(134) for impala server
* Use prepareStatement in H2SQLExecutor#getByIDs.(No function change).
+* Bump up snakeyaml to 1.31 for fixing CVE-2022-25857
#### UI
* Fix: tab active incorrectly, when click tab space
* Add impala icon for impala JDBC Java agent plugin.
+* (Webapp)Bump up snakeyaml to 1.31 for fixing CVE-2022-25857
#### Documentation
diff --git a/oap-server-bom/pom.xml b/oap-server-bom/pom.xml
index 6c0e522..c123daf 100644
--- a/oap-server-bom/pom.xml
+++ b/oap-server-bom/pom.xml
@@ -40,7 +40,7 @@
<joda-time.version>2.10.5</joda-time.version>
<zookeeper.version>3.5.7</zookeeper.version>
<guava.version>31.1-jre</guava.version>
- <snakeyaml.version>1.28</snakeyaml.version>
+ <snakeyaml.version>1.31</snakeyaml.version>
<protobuf-java.version>3.19.4</protobuf-java.version>
<protobuf-java-util.version>3.19.4</protobuf-java-util.version>
<commons-codec.version>1.11</commons-codec.version>
