Hey folks, Opening a thread to get input on a proposed dependency deprecation in 5.0: metrics-reporter-config has been archived for 3 years and not updated in nearly 6 years.
This project has a minor security issue with its usage of unsafe YAML loading via snakeyaml’s unprotected Constructor: https://nvd.nist.gov/vuln/detail/CVE-2022-1471 This CVE is reasonable to suppress, since operators should be able to trust their YAML configuration files. The rationale for this proposed deprecation is that the upcoming 5.0 release is a good time to evaluate dependencies that are no longer receiving updates and will become risks in the future. https://issues.apache.org/jira/browse/CASSANDRA-18743 — Abe
