Closed coreycb closed 1 year ago
This is similar to #656 - could we please consolidate them? So we also need to pin Cython<3.0.0
as that's also broken with PyYaml 6.0.1 (at the moment).
we need a 3.0.7 release in pypi with this fix
This change should be revisited now that 6.0.1 was released to fix the problem. I'm not sure, but it looks like the result of 'pyyaml>=5.0,!=5.4.0,!=5.4.1,<6.0' is 5.3.1, which has known CVEs.
pip install 'pyyaml>=5.0,!=5.4.0,!=5.4.1,<6.0'
Collecting pyyaml!=5.4.0,!=5.4.1,<6.0,>=5.0
Using cached PyYAML-5.3.1-cp311-cp311-linux_x86_64.whl
Installing collected packages: pyyaml
Successfully installed pyyaml-5.3.1
On Wed, 2023-08-09 at 12:58 -0700, Mark Beierl wrote:
This change should be revisited now that 6.0.1 was released to fix the problem. I'm not sure, but it looks like the result of 'pyyaml>=5.0,!=5.4.0,!=5.4.1,<6.0' is 5.3.1, which has known CVEs. pip install 'pyyaml>=5.0,!=5.4.0,!=5.4.1,<6.0' Collecting pyyaml!=5.4.0,!=5.4.1,<6.0,>=5.0 Using cached PyYAML-5.3.1-cp311-cp311-linux_x86_64.whl Installing collected packages: pyyaml Successfully installed pyyaml-5.3.1
I think we could do:
pyyaml>=5.0,!=5.4.0,!=5.4.1,!=6.0,<7.0
pyyaml 5.4.0 and 5.4.1 are broken with cython 3 https://github.com/yaml/pyyaml/issues/724
jsonschema 4.18.0 depends on Rust (via rpds-py)