Bumping dependencies versions

[markgargan]

Hi there Joel,

We were looking to use specmatic in our pipeline to determine the backward compatibility of our openapi to detect breaking changes. Unfortunately, when we ran the specmatic jar, 0.78.0 through our internal vulnerability scan it came back with around 9 high vulnerabilities that essentially meant we were unable to use it and had to revert back to using spring-cloud-contract which is a shame because we felt that the specmatic 'tests for free' really provided us with what we were looking for. Also the ability to compare two openapi yamls was perfect for our pre-commit hook.

For example we detected an issue with the dependency org.yaml:snakeyaml that exists in version 1.3.3 that's fixed in version 2.

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization.

Would you know what your schedule for bumping dependency versions is and whether or not you guys use githubs Dependabot?

Thanks,
Mark.

[joelrosario]

Hi @markgargan, thanks for getting in touch and letting us know about this. We do use Dependabot. snakeyaml is at 2.x thanks to Dependabot PRs in the latest version of Specmatic, which is 0.81.1. Could you please try this out and let us know. Thanks.