The existing snakeyaml library is listed as vulnerable to security vulnerabilities because it allows create of arbitrary java objects which could lead to remote code execution. org.snakeyaml:snakeyaml-engine seems to be a follow on from the existing snakeyaml library from the same developers but is able to parse YAML 1.2. Please could you consider using snakeyaml-engine to help developers working in organisations where automated security scanning for vulnerable dependencies causes friction between in house security teams and ordinary developers who happen to pull in uap-scala as a dependency.

Since raising the issue there has been a 2.0 release of the snakeyaml library that also apparently fixes the issue. See https://bitbucket.org/snakeyaml/snakeyaml/wiki/Changes

The snakeyaml has been upgraded to 2.0 in uap-scala 0.15.0 version