Bump snakeyaml from 1.31 to 1.33 to resolve CVE-2022-38752 on JRuby

[chadlwilson]

Resolves CVE-2022-38752 and makes another couple of defensive changes around code point limits.

Additional context

• Follow up to Bump snakeyaml from 1.28 to 1.31 to resolve CVE-2022-25857 #574
• Most issue discussion here. Seems a relatively minor issue, but will help folks reduce noise from scanners.
• Snakeyaml changelog

[headius]

Nice!

[headius]

I merged all three of these so we can do releases of any branch and know it will have the updated SnakeYAML with all CVE fixes.

@hsbt @tenderlove A release of 3.x would be good for JRuby 9.3 since that version is trying to maintain parity with Ruby 2.6. I'm not sure if it's necessary to release a 4.x update if the 5.x versions are ok to use on Ruby 3.1-compatible runtimes like JRuby 9.4 will be.

[headius]

Aha, nevermind... I see that 5.0 is still a dev version, so we will want 4.x and 3.x releases to support JRuby 9.4 and 9.3.

[hsbt]

Just released them.

• https://github.com/ruby/psych/releases/tag/v4.0.6
• https://github.com/ruby/psych/releases/tag/v3.3.4

[headius]

@hsbt Thank you!

[chadlwilson]

@headius Would you like me to raise JRuby PRs for 9.3 and 9.4 (master) or is it easier for you to update&push directly?

[headius]

We at least need an issue for the record, I think. Given the CVEs and all.