GitHub reports security vulnerability in pyyaml, recommends >=4.2b1

[SueChaplain]

We are currently a little backlevel, using pyyaml 3.12 as required by MkDocs 1.0.4, but it looks like we won't fix this by moving to the latest MkDocs level.

Are there plans to update dependencies?
Can anyone confirm whether upgrading just pyyaml >=4.2b1 causes any problems please?

[waylan]

I'm not aware of any version of PyYAML greater than 3.13 (with a release date of 2018-07-05) as listed here. And we specifically support pyyaml>=3.12 so the only restriction is that older versions are not supported. However, we will accept any newer version. Could you provide some more information about this "recommendation"?

Or is this perhaps a duplicate of #1529? If so, I would recommend ignoring the warning for the reasons stated in that issue.

[facelessuser]

The security issue is the same one that people always bring up: yaml/pyyaml#243. And yes, it is a duplicate of #1529. The way that MkDocs is intended to be used, this isn't a problem, and some people actually rely on this behavior. That is why the feature exists to begin with.

The security fix I believe is to not use arbitrary code by default in PyYaml, but since we want to run arbitrary code, it doesn't matter.

A better security fix is to not use Mkdocs in an unsafe way.

[facelessuser]

As for whether upgrade will cause problems, if you are relying on the MkDocs ability to run arbitrary Python code, then it might break for you if it is indeed using the "safe" load by default now.

[waylan]

Thanks @facelessuser. I was confused because I didn't know where the "4.2b1" version came from. yaml/pyyaml#193 explains the current state of PyYAML pretty well and clears up the history of version 4. Now that it is clear, I'm closing this as a duplicate of #1529.

[SueChaplain]

Thanks everyone for your comments. I'll watch the PyYAML project and MkDocs project and pick up later levels when they are ready.