Markup SpringBoot users need to specify SnakeYAML version in Github Wiki

[linghengqian]

Feature Request

For English only, other languages will not accept.

Please pay attention on issues you submitted, because we maybe need more details.
If no response anymore and we cannot make decision by current information, we will close it.

Please answer these questions before submitting your issue. Thanks!

Is your feature request related to a problem?

• Yes, refer to Update Snakeyaml to 1.33 and open YAML 3MB limit #21351 .

Describe the feature you would like.

• In Update Snakeyaml to 1.33 and open YAML 3MB limit #21351, a new method for serving LoaderOptions introduced since SnakeYAML 1.32 is enabled. This stems from a series of CVEs that have existed since SnakeYAML 1.30 and can be traced back to [issue-15259] upgrade snakeyaml due to cve #15260 .

• According to CVE-2022-25857 - Upgrade to SnakeYAML 1.31 spring-projects/spring-boot#32221 , at present, Spring community ensures SnakeYAML <= 1.30 in Spring Boot OSS < 3.0.0-M5 version. Therefore, if the users of ShardingSphere JDBC use the version of SpringBoot OSS < 3.0.0-M5, they must manually specify the version of SnakeYAML in pom.xml and other files, similar to the following.

<dependencies>
  <dependency>
      <groupId>org.yaml</groupId>
      <artifactId>snakeyaml</artifactId>
      <version>1.33</version>
  </dependency>
</dependencies>

• I think we should markup SpringBoot users need to specify SnakeYAML version in Github Wiki.
• update in 2023.03.31: According to Loading application.yml fails with NoSuchMethodError when using SnakeYAML 2.0 spring-projects/spring-boot#34405 (comment), if users are using Spring Boot OSS 2.x instead of Spring Boot OSS 3.x, they should use SnakeYAML 1.33 instead of SnakeYAML 2.0. Also, Spring Framework is not ready for SnakeYAML 2.0, refer to Upgrade to SnakeYAML 2.0 spring-projects/spring-framework#30048

[linghengqian]

• @Swastyy I just found out that the processor of Move FAQ from document to wiki page #19383 is you, could post it on Github Wiki and mark it? I don't have editing rights.

[Swastyy]

Ok @linghengqian , I will do it.

[trydofor]

<snakeyaml.version>1.33</snakeyaml.version>
override the parent pom.xml's property

[linghengqian]

• Due to Transition from Java EE to Jakarta EE #26041, the description of SnakeYAML is more suitable for the Quick Start section of Spring Boot. I'll start working on this issue.