New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove pin on PyYAML==3.13 #2271
Comments
Fixed with #2272 thanks! |
Note that while this technically allows the 5.1 library to be used, it also preserves the arbitrary code execution pathway described in yaml/pyyaml#257 and https://nvd.nist.gov/vuln/detail/CVE-2017-18342 In order to fix the vulnerability, calls to |
Thanks for the quick fix @spulec! |
Moto currently pins PyYAML at 3.13. I understand that this was done because newer versions of PyYAML were causing test failures; however, many libraries and services now require PyYAML>=5.1 due to a security issue that was raised against older versions. Having the library pinned at at specific, out-of-date version makes it difficult for your users to stay up-to-date with their dependencies, because they will start getting conflicting version constraints as time goes on.
Moto has been super useful in writing unit tests against my AWS integration code. I'd hate to have to remove it because it stops me from being able to upgrade.
I took a low-effort swing at removing the constraint, but got a lot of test failures. If someone more knowledgeable were able to help me or do it themselves, I'd be very appreciative.
The text was updated successfully, but these errors were encountered: