Skip to content
This repository has been archived by the owner on Jan 7, 2024. It is now read-only.

0.0.7: Update PyYAML to 5.1 or better #72

Merged
merged 1 commit into from Apr 15, 2019
Merged

0.0.7: Update PyYAML to 5.1 or better #72

merged 1 commit into from Apr 15, 2019

Conversation

rmol
Copy link
Contributor

@rmol rmol commented Apr 12, 2019

Require PyYAML >= 5.1,<6.

Fixes #52.

@redshiftzero
Copy link
Contributor

Diff/changelog dependency review done here, all looked good given context in yaml/pyyaml#257. One thing relevant for other updates of this dependency is:

In a future release (after 5.1) yaml.load() will raise an exception if you don’t
explicitly choose the Loader to use.

(though we don't need to worry about this in this repo as we bring in this dependency via vcrpy).

redshiftzero
redshiftzero approved these changes Apr 12, 2019
View reviewed changes
Copy link
Contributor

@redshiftzero redshiftzero left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, when you've done your diff/changelog review, comment as such and merge this in @rmol!

@rmol
Copy link
Contributor Author

rmol commented Apr 13, 2019

Agreed. I don't see any problems with the updates to 5.1. We do need to make sure that we explicitly use the safe variants of load/Loader wherever possible.

@rmol rmol self-assigned this Apr 13, 2019
kushaldas
kushaldas suggested changes Apr 15, 2019
View reviewed changes
Copy link
Contributor

@kushaldas kushaldas left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are still missing the different of the source code and review of that based on the actual source tarballs :)

Because it is a dev dependency, not for production.

kushaldas
kushaldas approved these changes Apr 15, 2019
View reviewed changes
Copy link
Contributor

@kushaldas kushaldas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving this as this is still a dev dependency. Nothing to do with production usage.

@rmol rmol merged commit 814e157 into master Apr 15, 2019
@rmol rmol deleted the fix-52-pyyaml-cve branch April 15, 2019 18:02
@redshiftzero redshiftzero mentioned this pull request Apr 15, 2019
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@kushaldas kushaldas kushaldas approved these changes

@redshiftzero redshiftzero redshiftzero approved these changes

Assignees

@rmol rmol

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Update pyyaml when 4.2 release is available due to CVE-2017-18342
3 participants
@rmol @redshiftzero @kushaldas