microsoft / knack

Knack - A Python command line interface framework
https://pypi.python.org/pypi/knack
MIT License
348 stars 95 forks source link

Unpin PyYAML #241

Closed jiasli closed 3 years ago

jiasli commented 3 years ago

Unpin PyYAML so that the latest version will always be used. This solves

https://dev.azure.com/azure-sdk/public/_build/results?buildId=781110&view=logs&j=74095127-2a27-5370-37ed-15a4193f243f&t=a1e0e2fa-9206-5f67-cee4-df0dbeea0a5f&l=515

[INFO] __________________________________________________________________________________________________________________ 
[INFO] |Security Alerts                                                                                                 | 
[INFO] |________________________________________________________________________________________________________________| 
[INFO] |Alert title                             |Affected component                      |Severity                      | 
[INFO] |________________________________________|________________________________________|______________________________| 
[INFO] |CVE-2020-14343                          |pyyaml 5.3.1                            |Critical                      | 
[INFO] |________________________________________|________________________________________|______________________________| 
Quinncuatro commented 2 years ago

@jiasli - Brought this up in a couple of Issues (#258 & #193), but it seems like unpinning PyYAML is somehow letting it still default to version 5.3.1, which is throwing an arbitrary code execution warning on my end (via BlackDuck).

I fleshed out my reasoning on it in issue #258. Something wonky is happening - might be a good idea to re-pin this one.

Quinncuatro commented 2 years ago

I take that back. Everything was resolved in #258. Ended up being an issue with the pipeline.