#168: Bump PyYAML to latest version, note CVE.

garyd203 · Mar 11, 2019 · 158541b · 158541b
1 parent cfa18e1
commit 158541b
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/requirements.txt b/requirements.txt
@@ -7,7 +7,7 @@ importlib_resources==1.0.2
 inflection==0.3.1
 Jinja2==2.10
 pytest==3.2.2
-PyYAML==3.12
+PyYAML==3.13
 semver==2.7.9
 Sphinx==1.8.4
 sphinx-autobuild==0.7.1
diff --git a/setup.py b/setup.py
@@ -34,7 +34,8 @@ def get_readme():
         # We use the `kw_only` only for attribute classes, which was
         # introduced in v18.2.0
         'attrs>=18.2.0',
-        'PyYAML',
+        # TODO #165 PyYAML v3 has vulnerability that does not affect us, but we should upgrade as soon as a fix is available
+        'PyYAML==3.13',
     ],
 
     # Contact Details