Pinning pyyaml to 6.0 for now to get past critical security alert #711
Conversation
There was a problem hiding this comment.
LGTM. Interesting that the source of pyyaml, which is google-python-cloud-debugger, hasn't been updated since last summer: https://pypi.org/project/google-python-cloud-debugger/#history
There was a problem hiding this comment.
I left one not-so-important comment.
But looks good to me. Did a quick test of staging URL, http://146.148.38.59/ — more specifically the recommendations ("You May Also Like" section).
Seems to work fine!
Approved!
| urllib3==1.26.5 | ||
| pyyaml==6.0 |
There was a problem hiding this comment.
Nitpick:
We could leave a comment here similar to
pyyaml==6.0 # This is not a direct dependency. We will need to keep an eye on google-python-cloud-debugger's use of pyyaml, update google-python-cloud-debugger when it updates pyyaml, and eventually remove this line.
or maybe create a GitHub issue.
I just want to make sure the work that's yet to be done is visible to our team. :)
There was a problem hiding this comment.
I've created a new issue to track this: #713
So we can do ahead and merge this pull-request. :)
Thanks again, Don, for this PR and the thanks, Olivier, for reviewing!
…ogleCloudPlatform#711) Co-authored-by: Nim Jayawardena <nimjay@google.com>
…ogleCloudPlatform#711) Co-authored-by: Nim Jayawardena <nimjay@google.com>
Background
Updating pyyaml to 6.0 to address dependabot alert
Change Summary
Pinning pyyaml to 6.0 in requirements.in. Eventually this will need to be reverted to allow google-python-cloud-debugger to pull in the version it prefers.