From e9ee01f57f4a93e4c6e64413d2534acc16d75144 Mon Sep 17 00:00:00 2001
From: Charles Oliver Nutter <headius@headius.com>
Date: Sat, 14 Mar 2026 02:07:29 -0500
Subject: [PATCH] Update SnakeYAML-Engine to 3.0.1

There are two CVEs in Guava, which is a test-scoped dependency of
this library. Guava is not shipped with the library so these CVEs
do not affect users, but the dependency may trigger security tools.
We update to avoid this false positive.

https://www.cve.org/CVERecord?id=CVE-2023-2976

https://www.cve.org/CVERecord?id=CVE-2020-8908

Fixes ruby/psych#780
---
 lib/psych/versions.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/psych/versions.rb b/lib/psych/versions.rb
index 4c7a80d5..6b22379f 100644
--- a/lib/psych/versions.rb
+++ b/lib/psych/versions.rb
@@ -5,6 +5,6 @@ module Psych
   VERSION = '5.3.1'
 
   if RUBY_ENGINE == 'jruby'
-    DEFAULT_SNAKEYAML_VERSION = '2.10'.freeze
+    DEFAULT_SNAKEYAML_VERSION = '3.0.1'.freeze
   end
 end