pyyaml version is vulnerable to CVE-2017-18342

[alexomics]

The pyyaml version specified here is vulnerable to to CVE-2017-18342.

Can this be upgraded without issue?

[bryevdv]

It's unclear. The latest version of pyyaml on both PyPI and conda default repositories is 3.13. Evidently the project was taken over by an entirely new team, though I can't find any release of it under the same name.

[bryevdv]

Looks like 4.2 is not available yet: yaml/pyyaml#193 We are certainly happy to move on this as soon as a release is available

[bryevdv]

FWIW The CVE only seems to pertain to yaml.load. Here are all the instances of yaml.load in the codebase:

./_testing/util/examples.py:
  266 :         examples = yaml.load(f.read())
./themes/theme.py:
  131 :                 json = yaml.load(f)
./util/sampledata.py:
  109 :         config = yaml.load(open(join(bokeh_dir, 'config')))

It would be reasonable to see if yaml.safe_load would work for all of those, in which case that would be a more proactive solution.

[bryevdv]

Testing seems to indicate that yaml.safe_load works fine for Bokeh's needs. I have pushed a PR that switches to only use safe_load. I will make an accelerated 1.0.4 release when this is merged.

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.