Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade insecure dependency PyYAML to 4.2b2+ #897

Closed

Conversation

iamyohann
Copy link

Changes proposed in this pull request:

@iamyohann iamyohann changed the title Bump PyYAML to 4.2b2+ Upgrade insecure dependency PyYAML to 4.2b2+ Mar 6, 2019
@dtkav
Copy link
Collaborator

dtkav commented Mar 6, 2019

Hey @iamyohann ,

Have a read through this thread: python-openapi/openapi-spec-validator#60

TL;DR - We can't pin a beta release, as it will break dependency managers like pipenv. However, this CVE only relates to the use of yaml.load(), which we do not use (we use safe_load, or extend the safe loader).

@iamyohann
Copy link
Author

@dtkav I see, can I leave this PR open until a stable version of PyYAML is released?

@dtkav
Copy link
Collaborator

dtkav commented Mar 6, 2019 via email

@ThoreKr
Copy link

ThoreKr commented Mar 14, 2019

So with 5.1 it should be fine unless there are also side effects as in yaml/pyyaml#265?

@dtkav
Copy link
Collaborator

dtkav commented Mar 15, 2019

superseded by #902

@dtkav dtkav closed this Mar 15, 2019
@dtkav dtkav removed the waiting label Mar 15, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants