-
Notifications
You must be signed in to change notification settings - Fork 7.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pinning pyyaml to 6.0 for now to get past critical security alert #711
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Interesting that the source of pyyaml
, which is google-python-cloud-debugger
, hasn't been updated since last summer: https://pypi.org/project/google-python-cloud-debugger/#history
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I left one not-so-important comment.
But looks good to me. Did a quick test of staging URL, http://146.148.38.59/ — more specifically the recommendations ("You May Also Like" section).
Seems to work fine!
Approved!
urllib3==1.26.5 | ||
pyyaml==6.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nitpick:
We could leave a comment here similar to
pyyaml==6.0 # This is not a direct dependency. We will need to keep an eye on google-python-cloud-debugger's use of pyyaml, update google-python-cloud-debugger when it updates pyyaml, and eventually remove this line.
or maybe create a GitHub issue.
I just want to make sure the work that's yet to be done is visible to our team. :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've created a new issue to track this: #713
So we can do ahead and merge this pull-request. :)
Thanks again, Don, for this PR and the thanks, Olivier, for reviewing!
…ogleCloudPlatform#711) Co-authored-by: Nim Jayawardena <nimjay@google.com>
…ogleCloudPlatform#711) Co-authored-by: Nim Jayawardena <nimjay@google.com>
Background
Updating pyyaml to 6.0 to address dependabot alert
Change Summary
Pinning pyyaml to 6.0 in requirements.in. Eventually this will need to be reverted to allow google-python-cloud-debugger to pull in the version it prefers.