Micronaut Framework 4.0, to be released in 2023, will not expose SnakeYAML as a transitive dependency.
SnakeYAML is a complete YAML 1.1 processor for the JVM.
YAML is a data serialization format designed for human readability and interaction with scripting languages. SnakeYAML is a YAML 1.1 processor for the Java Virtual Machine version 8+
Micronaut Framework 3.x dependency io.micronaut:micronaut-core
exposes SnakeYAML as transitive dependency.
Micronaut Framework uses SnakeYAML to read Application Configuration from files such as application.yml
or bootstrap.yml
.
However, you can define configuration not just with YAML but with properties files, TOML, Config4k, or Apache Groovy files. Micronaut Framework is configuration format agnostic.
Micronaut Framework 4.0 will not expose SnakeYAML as a transitive dependency. We don't pull an unnecessary dependency if you are not using YAML.
Attackers often target parsing libraries such as SnakeYAML. The removal of SnakeYAML reduces the attack surface of the framework.
If you want to keep using YAML for application configuration in Micronaut Framework 4.0, add the following dependency to your Gradle build:
dependencies {
...
runtimeOnly("org.yaml:snakeyaml")
}
Or to your Maven build:
...
<dependency>
<groupId>org.yaml</groupId>
<artifactId>snakeyaml</artifactId>
<scope>runtime</scope>
</dependency>
</dependencies>
You do not have to specify a version number since Micronaut BOM (Bill of Materials) specifies a SnakeYAML version.
If you use YAML configuration and you do not specify the SnakeYAML dependency, Micronaut Build Plugins (Maven or Gradle will warn you.
--> Micronaut Framework is configuration format agnostic.
--> Micronaut Framework 4.0 will not expose SnakeYAML as a transitive dependency anymore.
--> Because parsing libraries are often used as an attack vector, this also has the interesting effect of reducing the attack surface for hackers.
You could add a note saying something like this: if you upgrade your application from Micronaut 3 to Micronaut 4 and depend on YAML configuration, the build plugins will automatically notify you that you need to add an external dependency on snakeyaml, should you forget to do it.