feat: Use PyYAML's safe_load for better security

[matthewfeickert]

Description

In light of a discussion, motivated by PR #1378, with @alexander-held, @henryiii, and @jpivarski about the security risk of PyYAML, use yaml.safe_load over yaml.full_load in pyhf.utils.options_from_eqdelimstring.

Checklist Before Requesting Reviewer

• Tests are passing
• "WIP" removed from the title of the pull request
• Selected an Assignee for the PR to be responsible for the log summary

Before Merging

For the PR Assignees:

• Summarize commit messages into a comprehensive review of the PR

* Use yaml.safe_load over yaml.full_load in pyhf.utils.options_from_eqdelimstring
* Further safeguards against things like CVE-2020-14343
   - c.f. PR #1378

[matthewfeickert]

For additional context on yaml.FullLoader vs. yaml.SafeLoader @alexander-held pointed me to yaml/pyyaml#265 👍

[codecov]

Codecov Report

Merging #1383 (e0461b4) into master (99212ea) will not change coverage.
The diff coverage is 100.00%.

@@           Coverage Diff           @@
##           master    #1383   +/-   ##
=======================================
  Coverage   97.53%   97.53%           
=======================================
  Files          63       63           
  Lines        3808     3808           
  Branches      538      538           
=======================================
  Hits         3714     3714           
  Misses         55       55           
  Partials       39       39           

Flag	Coverage Δ
contrib	24.18% <0.00%> (ø)
unittests	97.53% <100.00%> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
src/pyhf/utils.py	96.82% <100.00%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 99212ea...e0461b4. Read the comment docs.

[matthewfeickert]

This might also reduce the dependabot PRs that we get. :/