sayar
commented
5 years ago This is a temporary fix and won't resolve the underlying issue; every time pipenv update is run, the Pipfile.lock will revert back to pyyaml below 4.2b1. See #232
Closed c-w closed 5 years ago
sayar
commented
5 years ago This is a temporary fix and won't resolve the underlying issue; every time pipenv update is run, the Pipfile.lock will revert back to pyyaml below 4.2b1. See #232
c-w
commented
5 years ago What's worse, when I apply this diff:
--- a/agogosml_cli/Pipfile
+++ b/agogosml_cli/Pipfile
@@ -6,6 +6,7 @@ verify_ssl = true
bumpversion = "*"
wheel = "*"
watchdog = "*"
+pyyaml = ">=4.2b1" # transitive dependency via watchdog has a vulnerability
flake8 = "*"
tox = "*"
pytest = "*"
@@ -27,3 +28,6 @@ cookiecutter = "~=1.6"
[requires]
python_version = "3.7"
+
+[pipenv]
+allow_prereleases = trueThen jsonnet build starts failing for some reason... And here I thought pipenv was supposed to fix this.
Versions below 4.2b1 suffer from CVE-2017-18342. The tests still pass so this should be a safe update.
All Submissions:
[x] Have you followed the guidelines in our Contributing document?
[x] Have you checked to ensure there aren't other open Pull Requests for the same update/change?
[x] Does your PR follow our Code of Conduct?
[x] Have you added an explanation of what your changes do and why you'd like us to include them?
[x] Does each method or function "do one thing well"? Reviewers may recommend methods be split up for maintainability and testability. Not applicable: dependency update
[x] Is this code designed to be testable? Not applicable: dependency update
[x] Is the code documented well? Not applicable: dependency update
[x] Does your submission pass existing tests (or update existing tests with documentation regarding the change)?
[x] Have you added tests to cover your changes? Not applicable: dependency update
[x] Have you linted your code prior to submission? Not applicable: dependency update
[x] Have you updated the documentation and README? Not applicable: dependency update
[x] Is PII treated correctly? In particular, make sure the code is not logging objects or strings that might contain PII (e.g. request headers). Not applicable: dependency update
[x] Have secrets been stripped before committing? Not applicable: dependency update