Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove requirement of PyYAML!=5.4.x #6666

Closed
chris-boson opened this issue Mar 24, 2021 · 4 comments · Fixed by #6673
Closed

Remove requirement of PyYAML!=5.4.x #6666

chris-boson opened this issue Mar 24, 2021 · 4 comments · Fixed by #6673
Labels
feature Is an improvement or enhancement help wanted Open to be worked on let's do it! approved to implement

Comments

@chris-boson
Copy link
Contributor

🚀 Feature

Remove dependency requirement of PyYAML!=5.4.x

Motivation

According to safety PyYAML versions below 5.4 have a security vulnerability which means that our pre-commit hooks don't allow upgrading to a newer versions of lightning.

-> pyyaml, installed 5.3.1, affected <5.4, id 39611
A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to 
arbitrary code execution when it processes untrusted YAML files through the full_load method or with 
the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable 
to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the 
python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747. See CVE-2020-14343.

Pitch

Figure out why 5.4.x doesn't work for lightning and remove this requirement if possible.
@chris-boson chris-boson added feature Is an improvement or enhancement help wanted Open to be worked on labels Mar 24, 2021
@Borda
Copy link
Member

Borda commented Mar 24, 2021

@chris-boson mind send a PR, it shall be a quick fix

@Borda Borda added the let's do it! approved to implement label Mar 24, 2021
@chris-boson
Copy link
Contributor Author

Sure, looks like I need permission to push.

@kaushikb11
Copy link
Contributor

Hi @chris-boson, you would need to fork the repo and do a Pull Request to contribute.

@chris-boson chris-boson mentioned this issue Mar 25, 2021
Merged
11 tasks
@JMMarchant
Copy link

Any update on this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature Is an improvement or enhancement help wanted Open to be worked on let's do it! approved to implement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix Namespace loading in PyYAML 5.4.x chris-boson/pytorch-lightning
4 participants
@Borda @chris-boson @JMMarchant @kaushikb11