New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GitHub reports security vulnerability in pyyaml, recommends >=4.2b1 #1730
Comments
I'm not aware of any version of PyYAML greater than 3.13 (with a release date of 2018-07-05) as listed here. And we specifically support Or is this perhaps a duplicate of #1529? If so, I would recommend ignoring the warning for the reasons stated in that issue. |
The security issue is the same one that people always bring up: yaml/pyyaml#243. And yes, it is a duplicate of #1529. The way that MkDocs is intended to be used, this isn't a problem, and some people actually rely on this behavior. That is why the feature exists to begin with. The security fix I believe is to not use arbitrary code by default in PyYaml, but since we want to run arbitrary code, it doesn't matter. A better security fix is to not use Mkdocs in an unsafe way. |
As for whether upgrade will cause problems, if you are relying on the MkDocs ability to run arbitrary Python code, then it might break for you if it is indeed using the "safe" load by default now. |
Thanks @facelessuser. I was confused because I didn't know where the "4.2b1" version came from. yaml/pyyaml#193 explains the current state of PyYAML pretty well and clears up the history of version 4. Now that it is clear, I'm closing this as a duplicate of #1529. |
Thanks everyone for your comments. I'll watch the PyYAML project and MkDocs project and pick up later levels when they are ready. |
We are currently a little backlevel, using pyyaml 3.12 as required by MkDocs 1.0.4, but it looks like we won't fix this by moving to the latest MkDocs level.
Are there plans to update dependencies?
Can anyone confirm whether upgrading just pyyaml >=4.2b1 causes any problems please?
The text was updated successfully, but these errors were encountered: