Update to JRuby 9.4.3.0

[headius]

JRuby 9.4.3.0 includes an updated Psych YAML library, which uses SnakeYAML-Engine and avoids several CVEs against the original SnakeYAML. By updating here, downstream users of asciidoctorj will not run into security audit issues.

See related issues and PRs:

• New snakeyaml vulnerability has dropped, affects jruby-complete jruby/jruby#7570
• Update 9.3 to Psych 5.1 jruby/jruby#7600
• Use Psych 5.1 jruby/jruby#7626
• CVE-2022-1471 (snakeyaml) CVSS 9.8 (critical) is affecting SBOM's containing jruby  jruby/jruby#7935

Thank you for opening a pull request and contributing to AsciidoctorJ!

Please take a bit of time giving some details about your pull request:

Kind of change

• Bug fix (sorta, update JRuby to get away from false-ish CVEs in SnakeYAML)
• New non-breaking feature
• New breaking feature
• Documentation update
• Build improvement

Description

What is the goal of this pull request?

• Update JRuby to get a version that does not use CVE-ridden SnakeYAML

How does it achieve that?

• Updates JRuby to 9.4.3.0

Are there any alternative ways to implement this?

• Not really

Are there any implications of this pull request? Anything a user must know?

• YAML compliance rises to 1.2, which may reject YAML that was valid in 1.0 or 1.1.

Release notes

Please add a corresponding entry to the file CHANGELOG.adoc

[headius]

Ok I misspoke... current asciidoctorj uses 9.4.1.0 which DOES use the newer Psych that switched to SnakeYAML-Engine. So there's no immediate rush on merging and releasing this PR.

Sorry for the noise. You can close this if you like, but of course 9.4.3.0 is better than 9.4.1.0 (and 9.4.4.0 will be better than that in a week or two).

[headius]

FYI I deleted a comment here that was intended for another project.

[robertpanzer]

Thank you so much!
Really appreciate this.