Skip to content

Unpin PyYAML #241

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jiasli merged 2 commits into from
Mar 15, 2021
Merged

Unpin PyYAML #241

jiasli merged 2 commits into from
Mar 15, 2021

Conversation

@jiasli
Copy link
Member

@jiasli jiasli commented Mar 12, 2021
edited
Loading

Unpin PyYAML so that the latest version will always be used. This solves

https://dev.azure.com/azure-sdk/public/_build/results?buildId=781110&view=logs&j=74095127-2a27-5370-37ed-15a4193f243f&t=a1e0e2fa-9206-5f67-cee4-df0dbeea0a5f&l=515

[INFO] __________________________________________________________________________________________________________________ 
[INFO] |Security Alerts                                                                                                 | 
[INFO] |________________________________________________________________________________________________________________| 
[INFO] |Alert title                             |Affected component                      |Severity                      | 
[INFO] |________________________________________|________________________________________|______________________________| 
[INFO] |CVE-2020-14343                          |pyyaml 5.3.1                            |Critical                      | 
[INFO] |________________________________________|________________________________________|______________________________|

@jiasli jiasli changed the title Bump PyYAML to 5.4.1 Unpin PyYAML Mar 15, 2021
@jiasli jiasli merged commit 5c34bb6 into microsoft:dev Mar 15, 2021
@jiasli jiasli deleted the pyyaml branch March 15, 2021 02:17
@jiasli jiasli mentioned this pull request Mar 15, 2021
Merged
@Quinncuatro
Copy link

Quinncuatro commented May 17, 2022

@jiasli - Brought this up in a couple of Issues (#258 & #193), but it seems like unpinning PyYAML is somehow letting it still default to version 5.3.1, which is throwing an arbitrary code execution warning on my end (via BlackDuck).

I fleshed out my reasoning on it in issue #258. Something wonky is happening - might be a good idea to re-pin this one.

@Quinncuatro
Copy link

Quinncuatro commented May 17, 2022

I take that back. Everything was resolved in #258. Ended up being an issue with the pipeline.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@fengzhou-msft fengzhou-msft fengzhou-msft approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jiasli @Quinncuatro @fengzhou-msft