Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unpin PyYAML #241

Merged
merged 2 commits into from
Mar 15, 2021
Merged

Unpin PyYAML #241

merged 2 commits into from
Mar 15, 2021

Conversation

jiasli
Copy link
Member

@jiasli jiasli commented Mar 12, 2021
edited
Loading

Unpin PyYAML so that the latest version will always be used. This solves

https://dev.azure.com/azure-sdk/public/_build/results?buildId=781110&view=logs&j=74095127-2a27-5370-37ed-15a4193f243f&t=a1e0e2fa-9206-5f67-cee4-df0dbeea0a5f&l=515

[INFO] __________________________________________________________________________________________________________________ 
[INFO] |Security Alerts                                                                                                 | 
[INFO] |________________________________________________________________________________________________________________| 
[INFO] |Alert title                             |Affected component                      |Severity                      | 
[INFO] |________________________________________|________________________________________|______________________________| 
[INFO] |CVE-2020-14343                          |pyyaml 5.3.1                            |Critical                      | 
[INFO] |________________________________________|________________________________________|______________________________|

@jiasli jiasli changed the title Bump PyYAML to 5.4.1 Unpin PyYAML Mar 15, 2021
@jiasli jiasli merged commit 5c34bb6 into microsoft:dev Mar 15, 2021
@jiasli jiasli deleted the pyyaml branch March 15, 2021 02:17
@jiasli jiasli mentioned this pull request Mar 15, 2021
Merged
@Quinncuatro
Copy link

@jiasli - Brought this up in a couple of Issues (#258 & #193), but it seems like unpinning PyYAML is somehow letting it still default to version 5.3.1, which is throwing an arbitrary code execution warning on my end (via BlackDuck).

I fleshed out my reasoning on it in issue #258. Something wonky is happening - might be a good idea to re-pin this one.

@Quinncuatro
Copy link

I take that back. Everything was resolved in #258. Ended up being an issue with the pipeline.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fengzhou-msft fengzhou-msft fengzhou-msft approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jiasli @Quinncuatro @fengzhou-msft