#168: Bump PyYAML to v5.1 and remove CVE altogether

garyd203 · Jul 15, 2019 · 21f1ade · 21f1ade
1 parent 67cf4be
commit 21f1ade
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,15 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [Unreleased]
+### Security
+* Upgrade to PyYAML v5.1 from v3.13. This addresses
+  [CVE-2017-18342](https://security-tracker.debian.org/tracker/CVE-2017-18342),
+  which was documented in [PyYAML bug 207](https://github.com/yaml/pyyaml/issues/207).
+  Note that this bug **did not** affect Flying Circus, because YAML is only
+  dump'ed, and hence there was no unsafe use of `yaml.load` with an untrusted
+  source)
+
 ## [v0.6.6] - 2019-07-11
 ### Changed
 * Update AWS Resource specification to v4.1.0

diff --git a/requirements.txt b/requirements.txt
@@ -9,7 +9,7 @@ importlib_resources==1.0.2
 inflection==0.3.1
 Jinja2==2.10
 pytest==4.5.0
-PyYAML==3.13
+PyYAML==5.1.1
 semver==2.7.9
 Sphinx==1.8.4
 sphinx-autobuild==0.7.1
diff --git a/setup.py b/setup.py
@@ -35,8 +35,7 @@ def get_readme():
         # introduced in v18.2.0
         "attrs>=18.2.0",
         "inflection>=0.3.1,<0.4",
-        # TODO #165 PyYAML v3 has vulnerability that does not affect us, but we should upgrade as soon as a fix is available
-        "PyYAML==3.13",
+        "PyYAML==5.1.1",
     ],
     # Contact Details
     author="Gary Donovan",