This is a change in order to be prepared for upcoming updates in SpringBoot, which will use Snakeyaml version 2.0!

The code, using the default constructor of Snakeyaml was changed, so the it conforms with CVE-2022-1471. The library org.yaml:snakeyaml:jar:1.33 though was not updated to the latest version, as this might cause problems with SpringBoot and its ability to read application properties also in YAML format. SpringBoot currently still uses the version 1.33 of Snakeyaml.

Nonetheless, this update includes a breaking change regarding the authoring of the YAML files used to define rich text transformations in headless.

The YAML standard does not allow global tags anymore. Thus, the transformation definitions coming with HeadlessServer in file classes.yml had to be changed, e.g. the usage of java.util.ArrayList in a global tag is not allowed anymore and was changed to the standard (java agnostic) name seq . Starting with Snakeyaml version 2.0 this will be enforced.

(CMS-22895)