Micronaut Framework 4.0 and SnakeYaml transitive dependency

MN-4-SnakeYAML.md

Micronaut Framework 4.0 and SnakeYaml transitive dependency

Micronaut Framework 4.0, to be released in 2023, will not expose SnakeYAML as a transitive dependency.

SnakeYAML is a complete YAML 1.1 processor for the JVM.

YAML is a data serialization format designed for human readability and interaction with scripting languages. SnakeYAML is a YAML 1.1 processor for the Java Virtual Machine version 8+

Micronaut Framework 3.x dependency io.micronaut:micronaut-core exposes SnakeYAML as transitive dependency.

Micronaut Framework uses SnakeYAML to read Application Configuration from files such as application.yml or bootstrap.yml.

However, you can define configuration not just with YAML but with properties files, TOML, Config4k, or Apache Groovy files. Micronaut Framework is configuration format agnostic.

Micronaut Framework 4.0 will not expose SnakeYAML as a transitive dependency. We don't pull an unnecessary dependency if you are not using YAML.

Attackers often target parsing libraries such as SnakeYAML. The removal of SnakeYAML reduces the attack surface of the framework.

How to keep using YAML for application configuration?

If you want to keep using YAML for application configuration in Micronaut Framework 4.0, add the following dependency to your Gradle build:

dependencies {
    ...
    runtimeOnly("org.yaml:snakeyaml")
}

Or to your Maven build:

    ...
    <dependency>
      <groupId>org.yaml</groupId>
      <artifactId>snakeyaml</artifactId>
      <scope>runtime</scope>
    </dependency>
  </dependencies>

You do not have to specify a version number since Micronaut BOM (Bill of Materials) specifies a SnakeYAML version.

Build Plugins Warning

If you use YAML configuration and you do not specify the SnakeYAML dependency, Micronaut Build Plugins (Maven or Gradle will warn you.

Micronaut Framework is configuration agnostic.

--> Micronaut Framework is configuration format agnostic.

Micronaut Framework 4.0 does not expose SnakeYAML as a transitive dependency.

--> Micronaut Framework 4.0 will not expose SnakeYAML as a transitive dependency anymore.

Moreover, we reduce the attack surface by decreasing the number of transitive dependencies.

--> Because parsing libraries are often used as an attack vector, this also has the interesting effect of reducing the attack surface for hackers.

If you want to keep using YAML for application configuration in Micronaut Framework 4.0, add the following dependency to your Gradle build:

You could add a note saying something like this: if you upgrade your application from Micronaut 3 to Micronaut 4 and depend on YAML configuration, the build plugins will automatically notify you that you need to add an external dependency on snakeyaml, should you forget to do it.

Micronaut Framework is configuration agnostic.

✅ > --> Micronaut Framework is configuration format agnostic.

Micronaut Framework 4.0 does not expose SnakeYAML as a transitive dependency.

✅ > --> Micronaut Framework 4.0 will not expose SnakeYAML as a transitive dependency anymore.

If you want to keep using YAML for application configuration in Micronaut Framework 4.0, add the following dependency to your Gradle build:

✅ > You could add a note saying something like this: if you upgrade your application from Micronaut 3 to Micronaut 4 and depend on YAML configuration, the build plugins will automatically notify you that you need to add an external dependency on snakeyaml, should you forget to do it.

I have added similar paragraph.

I still find that the way you formulate the security improvement is problematic, since it gives the impression that we have a problem today, which is not the case. We could have a problem.

I still find that the way you formulate the security improvement is problematic, since it gives the impression that we have a problem today, which is not the case. We could have a problem.

I have changed it. It now says:

Attackers often target parsing libraries such as SnakeYAML. The removal of SnakeYAML reduces the attack surface of the framework.

I hope this addresses your concerns @melix

👍