GitHub complains about pyyaml having a security vulnerability

[ThoreKr]

Description

GitHub complains that the used version of pyyaml is smaller than 4.2b1 which is affected by CVE-2017-18342

I don't really get why it is considered as high severity since it only affects the non-recommended way of using pyyaml but nevertheless it generates emails on every push to every team member and shows annoying warning signs on almost every page.

Steps to reproduce

Set up a repository with pipenv and install connexion (need to have the affected version of pyyaml in the Pipfile.lock).

[dtkav]

Unfortunately we're stuck between a rock and a hard place here.
Bumping to 4.2b1 appears to break pipenv (because 4.2b1 is a beta version).

One of connexion's dependencies went through this saga: python-openapi/openapi-spec-validator#60

Relevant Connexion Issue: #886
Relevant Connexion PR: #897

I believe the best course of action is wait for pyyaml to release a non-beta version. I'm not sure what the timeline is.

Our use of pyyaml shouldn't exercise vulnerable code paths, as we use safe_load and/or extend the safe loader class.

[dtkav]

From the folks behind pyyaml yaml/pyyaml#259 (comment)
There's a pyyaml release planned in a few days that will resolve this issue.
After it is released, we can work with our dependencies to bump to that version.