The art of simplicity is a puzzle of complexity.

CVE

When you are here because of some vulnerability report please be aware that it is most probably a false positive.

When you use SnakeYAML to configure your application you are totally safe.

When a low quality tooling is complaining

1. Go to the issue tracker of your low quality tooling and file a bug report about a false positive. You will be impressed with the amount of bugs already created and ignored (this makes the tool low quality - the bugs are created but ignored). The big amount of already reported issues should not stop you - they must be aware of the stream of false positives they produce.
2. Go to your manager or security specialist and present this information. If you pay for the low quality tooling they cannot leave it unattended.
3. Develop further and be happy !

Overview

YAML is a data serialization format designed for human readability and interaction with scripting languages.

SnakeYAML is a YAML 1.1 processor for the Java Virtual Machine version 8+. For YAML 1.2 (which is a superset of JSON) you may have a look at SnakeYAML Engine

SnakeYAML features

• a complete YAML 1.1 processor. (If you need YAML 1.2 support have a look here). In particular, SnakeYAML can parse all examples from the specification.
• Unicode support including UTF-8/UTF-16 input/output.
• high-level API for serializing and deserializing native Java objects.
• support for all types from the YAML types repository.
• relatively sensible error messages.
• when you plan to feed the parser with untrusted data please study the settings which allow to restrict incoming data.

Info

• Changes
• Documentation
• CVE and untrusted data

Contribute

• GIT is now used to dance with the source code.
• If you find a bug in SnakeYAML, please file a bug report.
• You may discuss SnakeYAML at the mailing list.
• Slack workspace
• Telegram group is removed because of the spam
• YAML community

JMH microbenchmarks

To execute the JMH microbenchmarks locally via Maven:

./mvnw jmh:benchmark

This will produce console results such as the following, as well as a ./jmh-result.json that can be visualized via https://jmh.morethan.io/ .

Benchmark                    (entries)  Mode  Cnt    Score     Error  Units
EmitterBenchmark.emitScalar        N/A  avgt    3    0.299 ±   0.047  us/op
ParseBenchmark.load               1000  avgt    3    1.388 ±   0.103  ms/op
ParseBenchmark.load             100000  avgt    3  258.281 ± 367.009  ms/op
ParseBenchmark.parse              1000  avgt    3    0.886 ±   0.163  ms/op
ParseBenchmark.parse            100000  avgt    3   94.930 ±   3.995  ms/op