The suggested version 4.1 is a prerelease so not a good option currently.
According to the details link above using yaml.safe_load instead of yaml.load fixes this issue.
We don't appear to be using yaml directly in our code so we may be able to remove this requirement. The problem may still exist in libraries we are using.
johnbradley
commented
5 years ago
https://nvd.nist.gov/vuln/detail/CVE-2017-18342
Details: https://github.com/yaml/pyyaml/issues/243#issuecomment-451540701
The suggested version 4.1 is a prerelease so not a good option currently.
According to the details link above using
yaml.safe_loadinstead ofyaml.loadfixes this issue.We don't appear to be using
yamldirectly in our code so we may be able to remove this requirement. The problem may still exist in libraries we are using.