ajkavanagh
commented
1 year ago This is similar to #656 - could we please consolidate them? So we also need to pin Cython<3.0.0 as that's also broken with PyYaml 6.0.1 (at the moment).
Closed coreycb closed 1 year ago
ajkavanagh
commented
1 year ago This is similar to #656 - could we please consolidate them? So we also need to pin Cython<3.0.0 as that's also broken with PyYaml 6.0.1 (at the moment).
freyes
commented
1 year ago we need a 3.0.7 release in pypi with this fix
markbeierl
commented
1 year ago This change should be revisited now that 6.0.1 was released to fix the problem. I'm not sure, but it looks like the result of 'pyyaml>=5.0,!=5.4.0,!=5.4.1,<6.0' is 5.3.1, which has known CVEs.
pip install 'pyyaml>=5.0,!=5.4.0,!=5.4.1,<6.0'
Collecting pyyaml!=5.4.0,!=5.4.1,<6.0,>=5.0
Using cached PyYAML-5.3.1-cp311-cp311-linux_x86_64.whl
Installing collected packages: pyyaml
Successfully installed pyyaml-5.3.1On Wed, 2023-08-09 at 12:58 -0700, Mark Beierl wrote:
This change should be revisited now that 6.0.1 was released to fix the problem. I'm not sure, but it looks like the result of 'pyyaml>=5.0,!=5.4.0,!=5.4.1,<6.0' is 5.3.1, which has known CVEs. pip install 'pyyaml>=5.0,!=5.4.0,!=5.4.1,<6.0' Collecting pyyaml!=5.4.0,!=5.4.1,<6.0,>=5.0 Using cached PyYAML-5.3.1-cp311-cp311-linux_x86_64.whl Installing collected packages: pyyaml Successfully installed pyyaml-5.3.1
I think we could do:
pyyaml>=5.0,!=5.4.0,!=5.4.1,!=6.0,<7.0
freyes
commented
1 year ago
pyyaml 5.4.0 and 5.4.1 are broken with cython 3 https://github.com/yaml/pyyaml/issues/724
jsonschema 4.18.0 depends on Rust (via rpds-py)