rveachkc
commented
3 years ago @dependabot merge
On Thu, Mar 25, 2021 at 5:22 PM dependabot[bot] @.***> wrote:
This automated pull request fixes a security vulnerability https://github.com/rveachkc/pymsteams/security/dependabot/dev-requirements.txt/PyYAML/open (moderate severity).
Learn more about Dependabot security updates https://docs.github.com/github/managing-security-vulnerabilities/configuring-dependabot-security-updates.
Bumps pyyaml https://github.com/yaml/pyyaml from 5.3.1 to 5.4. Changelog
Sourced from pyyaml's changelog https://github.com/yaml/pyyaml/blob/master/CHANGES.
5.4 (2021-01-19)
- yaml/pyyaml#407 https://github-redirect.dependabot.com/yaml/pyyaml/pull/407 -- Build modernization, remove distutils, fix metadata, build wheels, CI to GHA
- yaml/pyyaml#472 https://github-redirect.dependabot.com/yaml/pyyaml/pull/472 -- Fix for CVE-2020-14343 https://github.com/advisories/GHSA-8q59-q68h-6hv4, moves arbitrary python tags to UnsafeLoader
- yaml/pyyaml#441 https://github-redirect.dependabot.com/yaml/pyyaml/pull/441 -- Fix memory leak in implicit resolver setup
- yaml/pyyaml#392 https://github-redirect.dependabot.com/yaml/pyyaml/pull/392 -- Fix py2 copy support for timezone objects
- yaml/pyyaml#378 https://github-redirect.dependabot.com/yaml/pyyaml/pull/378 -- Fix compatibility with Jython
Commits
- 58d0cb7 https://github.com/yaml/pyyaml/commit/58d0cb7ee09954c67fabfbd714c5673b03e7a9e1 5.4 release
- a60f7a1 https://github.com/yaml/pyyaml/commit/a60f7a19c0b418fe95fcf2ec0957005ae39e1090 Fix compatibility with Jython
- ee98abd https://github.com/yaml/pyyaml/commit/ee98abd7d7bd2ca9c7b98aa19164fd0306a3f3d2 Run CI on PR base branch changes
- ddf2033 https://github.com/yaml/pyyaml/commit/ddf20330be1fae8813b8ce1789c48f244746d252 constructor.timezone: _copy & deepcopy
- fc914d5 https://github.com/yaml/pyyaml/commit/fc914d52c43f499224f7fb4c2d4c47623adc5b33 Avoid repeatedly appending to yaml_implicit_resolvers
- a001f27 https://github.com/yaml/pyyaml/commit/a001f2782501ad2d24986959f0239a354675f9dc Fix for CVE-2020-14343 https://github.com/advisories/GHSA-8q59-q68h-6hv4
- fe15062 https://github.com/yaml/pyyaml/commit/fe150624146ee631bb0f95e45731e8b01281fed6 Add 3.9 to appveyor file for completeness sake
- 1e1c7fb https://github.com/yaml/pyyaml/commit/1e1c7fb7c09e9149967c208a6fd07276a6140d57 Add a newline character to end of pyproject.toml
- 0b6b7d6 https://github.com/yaml/pyyaml/commit/0b6b7d61719fbe0a11f0980489f1bf8ce746c164 Start sentences and phrases for capital letters
- c976915 https://github.com/yaml/pyyaml/commit/c97691596eec279ef9191a9b3bba583a17139d5a Shell code improvements
- Additional commits viewable in compare view https://github.com/yaml/pyyaml/compare/5.3.1...5.4
[image: Dependabot compatibility score] https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- @dependabot rebase will rebase this PR
- @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
- @dependabot merge will merge this PR after your CI passes on it
- @dependabot squash and merge will squash and merge this PR after your CI passes on it
- @dependabot cancel merge will cancel a previously requested merge and block automerging
- @dependabot reopen will reopen this PR if it is closed
- @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
- @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
- @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
- @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the Security Alerts page https://github.com/rveachkc/pymsteams/network/alerts.
You can view, comment on, or merge this pull request online at:
https://github.com/rveachkc/pymsteams/pull/90 Commit Summary
- Bump pyyaml from 5.3.1 to 5.4
File Changes
- M dev-requirements.txt https://github.com/rveachkc/pymsteams/pull/90/files#diff-43470c4f399e798afc682f0bf6c690eef5f47ee25445904a066e4c3314f3a787 (2)
Patch Links:
- https://github.com/rveachkc/pymsteams/pull/90.patch
- https://github.com/rveachkc/pymsteams/pull/90.diff
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/rveachkc/pymsteams/pull/90, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABXLSLKQMRAFDITKESSXWL3TFOZRJANCNFSM4Z2HPWWQ .
Bumps pyyaml from 5.3.1 to 5.4.
Changelog
Sourced from pyyaml's changelog.
Commits
58d0cb75.4 releasea60f7a1Fix compatibility with Jythonee98abdRun CI on PR base branch changesddf2033constructor.timezone: _copy & deepcopyfc914d5Avoid repeatedly appending to yaml_implicit_resolversa001f27Fix for CVE-2020-14343fe15062Add 3.9 to appveyor file for completeness sake1e1c7fbAdd a newline character to end of pyproject.toml0b6b7d6Start sentences and phrases for capital lettersc976915Shell code improvementsDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot will merge this PR once CI passes on it, as requested by @rveachkc.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/rveachkc/pymsteams/network/alerts).