Skip to content
This repository has been archived by the owner on Feb 8, 2024. It is now read-only.

Update dependency PyYAML to v5.4 #397

Closed
wants to merge 1 commit into from

Conversation

mend-for-github-com[bot]
Copy link
Contributor

This PR contains the following updates:

Package Update Change
PyYAML (source) minor ==5.1.2 -> ==5.4

By merging this PR, the below issues will be automatically resolved and closed:

Severity CVSS Score CVE GitHub Issue
High 9.8 CVE-2020-1747 #269
High 9.8 CVE-2019-20477 #270
High 9.8 CVE-2020-14343 #271

Release Notes

yaml/pyyaml

v5.4

Compare Source

v5.3.1

Compare Source

v5.3

Compare Source

v5.2

Compare Source

  • Repair incompatibilities introduced with 5.1. The default Loader was changed,
    but several methods like add_constructor still used the old default
    #​279 -- A more flexible fix for custom tag constructors
    #​287 -- Change default loader for yaml.add_constructor
    #​305 -- Change default loader for add_implicit_resolver, add_path_resolver
  • Make FullLoader safer by removing python/object/apply from the default FullLoader
    #​347 -- Move constructor for object/apply to UnsafeConstructor
  • Fix bug introduced in 5.1 where quoting went wrong on systems with sys.maxunicode <= 0xffff
    #​276 -- Fix logic for quoting special characters
  • Other PRs:
    #​280 -- Update CHANGES for 5.1

  • If you want to rebase/retry this PR, check this box

@welcome
Copy link

welcome bot commented May 16, 2021

Thanks for your contribution in opening this pull request! Now you can be rewarded with a CORTX sticker by requesting cortx sticker
In the meantime, please check out the contributing guidelines and explore other ways you can get involved.

@mend-for-github-com mend-for-github-com bot added the security fix Security fix generated by WhiteSource label May 16, 2021
@cortx-admin
Copy link

Can one of the admins verify this patch?

@ajaysrivas
Copy link
Contributor

This is common package, can't be upgraded without discussion.
Plan is to take up this activity in last sprint of PI-2.

@ajaysrivas ajaysrivas closed this May 17, 2021
@mend-for-github-com mend-for-github-com bot deleted the whitesource-remediate/pyyaml-5.x branch May 17, 2021 05:21
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
security fix Security fix generated by WhiteSource
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants