From b2684c95b21d8235dca46bf7f80c2bcc948883dc Mon Sep 17 00:00:00 2001
From: Stefan Hoelzl <stefan.hoelzl@posteo.de>
Date: Sat, 13 Apr 2019 10:29:20 +0200
Subject: [PATCH] [bugfix] Updated pyyaml and Jinja2 because of security
 vulnerabilities

pyyaml: CVE-2017-18342
https://nvd.nist.gov/vuln/detail/CVE-2017-18342

Jinja2: CVE-2019-10906
https://nvd.nist.gov/vuln/detail/CVE-2019-10906
---
 .gitignore         | 1 +
 requirements.txt   | 4 ++--
 setup.py           | 4 ++--
 vuecli/provider.py | 2 +-
 4 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/.gitignore b/.gitignore
index 8fd2bdc0..2dd03611 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,7 @@
 venv
 .idea
 .pytest_cache
+__pycache__
 gh-pages-build
 
 debug
diff --git a/requirements.txt b/requirements.txt
index a90a29e8..7ad04798 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,6 +1,6 @@
 Flask==1.0.2
-Jinja2==2.10
-pyyaml==3.13
+Jinja2==2.10.1
+pyyaml==5.1
 docopt==0.6.2
 
 # packaging
diff --git a/setup.py b/setup.py
index 50647c5d..40a7f24e 100644
--- a/setup.py
+++ b/setup.py
@@ -40,8 +40,8 @@ def readme():
     ],
     install_requires=[
         'Flask==1.0.2',
-        'Jinja2==2.10',
-        'pyyaml==3.13',
+        'Jinja2==2.10.1',
+        'pyyaml==5.1',
         'docopt==0.6.2',
     ],
     package_data={
diff --git a/vuecli/provider.py b/vuecli/provider.py
index 8a165426..165b97de 100644
--- a/vuecli/provider.py
+++ b/vuecli/provider.py
@@ -38,7 +38,7 @@ def _load_config(self):
         config_file = Path(self.path, "vuepy.yml")
         if config_file.exists():
             with open(config_file, "r") as fh:
-                config = yaml.load(fh.read())
+                config = yaml.safe_load(fh.read())
             if config:
                 self.config = config