Bump depedencies pyyaml 5.1

[eamanu]

Hi,

I'm working on Bump elasticsearch-curator [1] to 5.8.1 on unstable (next Bullseyes). We have an incompatibility during building the package because currently on unstable is pyyaml on 5.1.2 version [2].

I look the issue [3] but I am not sure if that patch allow us use pyyaml 5.1.

So, I open this issue to know if exist a plan to update the pyyaml requirement.

[1] https://tracker.debian.org/pkg/elasticsearch-curator
[2] https://tracker.debian.org/pkg/pyyaml
[3] #1368

Specifications

• Version: 5.8.1
• Platform: Debian
• Subsystem: unstable

Thanks!
Cheers

[untergeek]

I apologize for the inconvenience, but Curator cannot, in its present state, run with pyyaml 5.1. It will require some breaking API changes to accommodate the newer version of pyyaml.

My best advice to you if you are not able to use the provided DEB package would be to build using a virtualenv where Python dependencies can be self-managed/contained.

[hydrapolic]

Any plans with this?

In Gentoo Linux we don't ship packages with virtualenv, but install into the main system. And Curator is the last user of Pyyaml-3, which is vulnerable. If we cannot upgrade to anything newer, we need to remove Curator from Gentoo completely :(

As the primary package maintainer of Curator in Gentoo I must say it's a sad end.

[hydrapolic]

As a workaround:
sed -i 's/yaml.load/yaml.unsafe_load/g' curator/utils.py test/unit/*

Tests pass with latest pyyaml-5.3.1.

[untergeek]

There will be a 5.9 release of Curator and the necessary changes to PyYAML will be there. Any fixes you do before this will likely be fine, but the problem is with environment variables, which won't work without a fundamental change to how they are interpreted.

[eamanu]

sed -i 's/yaml.load/yaml.unsafe_load/g' curator/utils.py test/unit/*

good workaround

There will be a 5.9 release of Curator and the necessary changes to PyYAML will be there.

great! good news!

[danpawlik]

Another workaround:
sed -i 's/pyyaml==3.13/pyyaml>=5.3.1/g' setup.py setup.cfg requirements.txt
and
find . -type f -exec sed -i 's/yaml.load/yaml.unsafe_load/g' {} \;

About:
There will be a 5.9 release of Curator and the necessary changes to PyYAML will be there.
Hope new release will come soon :)

[faph]

Is there an update on the 5.9 release?

[untergeek]

It will be a breaking change. Look for it to appear sometime during/over Christmas break.

[archon810]

Any updates on this please?

[tsaarni]

@untergeek would PyYAML version bump be feasible now with the latest version? The environment variable related tests seem to pass now, please see #1596

[untergeek]

This has finally been addressed in #1596