microsoft / knack

Knack - A Python command line interface framework
https://pypi.python.org/pypi/knack
MIT License
348 stars 95 forks source link

pyyaml security warning #193

Closed haroldrandom closed 4 years ago

haroldrandom commented 4 years ago

image

This build

yonzhan commented 4 years ago

pyyaml security warning

jiasli commented 4 years ago

This is due to a vulnerability in PyYAML according to CVE-2020-1747.

Similar to https://github.com/Azure/azure-cli/issues/12428, which is fixed by https://github.com/Azure/azure-cli/pull/12440. I think we need to bump to 5.3.1 or higher versions

Quinncuatro commented 2 years ago

@jiasli - It's been two years, and somehow the line for PyYAML in requirements.txt no longer has a specified point release associated with it.

I'm getting a similar warning as @haroldrandom, since the Azure-CLI package is pulling in knack/0.9.0 which is pulling in PyYAML/5.3.1.

I brought it up in Issue #258.

Quinncuatro commented 2 years ago

I take that back. Everything was resolved in #258. Ended up being an issue with the pipeline.