Skip to content
This repository has been archived by the owner on Jan 7, 2024. It is now read-only.

0.0.7: Update PyYAML to 5.1 or better #72

Merged
merged 1 commit into from
Apr 15, 2019
Merged

0.0.7: Update PyYAML to 5.1 or better #72

merged 1 commit into from
Apr 15, 2019

Conversation

rmol
Copy link
Contributor

@rmol rmol commented Apr 12, 2019

Require PyYAML >= 5.1,<6.

Fixes #52.

@rmol rmol force-pushed the fix-52-pyyaml-cve branch from e10c39d to 717ca89 Compare April 12, 2019 21:17
@rmol rmol force-pushed the fix-52-pyyaml-cve branch from 717ca89 to 219d72e Compare April 12, 2019 22:22
@redshiftzero
Copy link
Contributor

Diff/changelog dependency review done here, all looked good given context in yaml/pyyaml#257. One thing relevant for other updates of this dependency is:

In a future release (after 5.1) yaml.load() will raise an exception if you don’t
explicitly choose the Loader to use.

(though we don't need to worry about this in this repo as we bring in this dependency via vcrpy).

Copy link
Contributor

@redshiftzero redshiftzero left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, when you've done your diff/changelog review, comment as such and merge this in @rmol!

@rmol
Copy link
Contributor Author

rmol commented Apr 13, 2019

Agreed. I don't see any problems with the updates to 5.1. We do need to make sure that we explicitly use the safe variants of load/Loader wherever possible.

@rmol rmol self-assigned this Apr 13, 2019
Copy link
Contributor

@kushaldas kushaldas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are still missing the different of the source code and review of that based on the actual source tarballs :)

Because it is a dev dependency, not for production.

Copy link
Contributor

@kushaldas kushaldas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving this as this is still a dev dependency. Nothing to do with production usage.

@rmol rmol merged commit 814e157 into master Apr 15, 2019
@rmol rmol deleted the fix-52-pyyaml-cve branch April 15, 2019 18:02
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Update pyyaml when 4.2 release is available due to CVE-2017-18342
3 participants