[VR-12461] Bump PyYAML version constraint #2718
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Impact and Context
PyYAML has a security vulnerability that was addressed in
pyyaml==5.4
. Althoughverta
itself doesn't use that vulnerable code, its dependency version constraint was conflicting with other libraries'.This PR bumps the upper constraint on our
pyyaml
dependency from<5.4
to<6.0
, which is when Python 2 support is dropped.Closes #2536.
Risks and Area of Effect
Low risk: From PyYAML's changelog, the new versions we're allowing do not introduce any relevant breakages.
Low area of effect:
verta
only uses PyYAML for reading user-optional config files (currently only client config & endpoint update config).Testing
I ran
from my machine on both Python 2 and 3, which encompasses all our config file-related functionality.
There were a handful of unrelated failures:
FAILED test_endpoint/test_endpoint.py::TestEndpoint::test_update_init_error
FAILED test_endpoint/test_endpoint.py::TestEndpoint::test_update_with_custom_module
in Python 2FAILED test_endpoint/test_endpoint.py::TestEndpoint::test_update_twice
How to Revert
Revert this PR.