Vulnerability in PyYAML (CVE-2017-18342)

[deeppunster]

Shelby was alerted to a vulnerability in PyYAML (by GitHub) which was just added to the requirements file. The alert text (summarized):

Known high severity security vulnerability detected in pyyaml <4.2b1 defined in requirements.txt.
... update suggested: pyyaml ~> 4.2b1.

My analysis:

In this case the vulnerability comes about if we use PyYAML to process raw data coming in from the Internet. The existing version of this library (the one we are referencing) has this vulnerability. Since we are not (yet) contemplating using YAML as a data format, we know that it is not a problem for us. We do need to keep this in mind which means that we should prefer JSON or XML as a data format. If we want to use YAML as a data format, we will need to update the PyYAML library to a safe version (e.g. 5.1)

There is more information about this vulnerability at yaml/pyyaml#207.

[deeppunster]

Pull Request #16 includes an update to PyYAML to version 5.1. This version has the patch to mediate this vulnerability. If this pull request is accepted, this issue can be closed.