Remove pin on PyYAML==3.13

[kdmccormick]

Moto currently pins PyYAML at 3.13. I understand that this was done because newer versions of PyYAML were causing test failures; however, many libraries and services now require PyYAML>=5.1 due to a security issue that was raised against older versions. Having the library pinned at at specific, out-of-date version makes it difficult for your users to stay up-to-date with their dependencies, because they will start getting conflicting version constraints as time goes on.

Moto has been super useful in writing unit tests against my AWS integration code. I'd hate to have to remove it because it stops me from being able to upgrade.

I took a low-effort swing at removing the constraint, but got a lot of test failures. If someone more knowledgeable were able to help me or do it themselves, I'd be very appreciative.

[spulec]

Fixed with #2272

thanks!

[SeraBig]

Note that while this technically allows the 5.1 library to be used, it also preserves the arbitrary code execution pathway described in yaml/pyyaml#257 and https://nvd.nist.gov/vuln/detail/CVE-2017-18342

In order to fix the vulnerability, calls to yaml.load should have Loader=SafeLoader or Loader=FullLoader. Unfortunately it appears that references are broken in the secure versions, according to both the moto test suites, yaml/pyyaml#294 and yaml/pyyaml#266 . A fix for those is incoming with PyYaml 5.2 via yaml/pyyaml#287 and once published the Loaders should be modified to a safe version.

[kdmccormick]

Thanks for the quick fix @spulec!