Upgrade insecure dependency PyYAML to 4.2b2+

[iamyohann]

Changes proposed in this pull request:

• Bump PyYAML to 4.2b2+ (resolves CVE-2017-18342 https://nvd.nist.gov/vuln/detail/CVE-2017-18342)

[dtkav]

Hey @iamyohann ,

Have a read through this thread: python-openapi/openapi-spec-validator#60

TL;DR - We can't pin a beta release, as it will break dependency managers like pipenv. However, this CVE only relates to the use of yaml.load(), which we do not use (we use safe_load, or extend the safe loader).

[iamyohann]

@dtkav I see, can I leave this PR open until a stable version of PyYAML is released?

[dtkav]

Yeah, absolutely.

…

On Wed, Mar 6, 2019 at 1:47 PM Yohann ***@***.***> wrote: @dtkav <https://github.com/dtkav> I see, can I leave this PR open until a stable version of PyYAML is released? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#897 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAlPSQDhRDpLsocMtAScvZBx4ssO0V8Eks5vTzM8gaJpZM4bfy3s> .

[ThoreKr]

So with 5.1 it should be fine unless there are also side effects as in yaml/pyyaml#265?

[dtkav]

superseded by #902