requirements: ensure safe version of PyYAML >= 5.4 (CVE-2020-1747)

PyYAML versions 5.1–5.3.1 are vulnerable to CVE-2020-1747, which allows arbitrary code execution through yaml.FullLoader. While PyYAML 5.4+ patches this, the dependency specification (pyyaml >= 5.1) doesn't guarantee a safe version. Let's increase the requirement to version 5.4 to ensure a safe version of is used. This patch is based on suggestions from: "YanTong C <chyeyantong03@gmail.com>" Change-Id: I901c76c59e9c1bab030eab81038e04a475b32510
2026-04-15 14:14:35 +02:00
parent 816b31eb07
commit c50f4b4a02
3 changed files with 3 additions and 3 deletions
--- a/README.md
+++ b/README.md
@@ -97,7 +97,7 @@ Please install the following dependencies:
 - pyscard
 - pyserial
 - pytlv
- - pyyaml >= 5.1
+ - pyyaml >= 5.4
 - smpp.pdu (from `github.com/hologram-io/smpp.pdu`)
 - termcolor

--- a/requirements.txt
+++ b/requirements.txt
@@ -6,7 +6,7 @@ jsonpath-ng
 construct>=2.10.70
 bidict
 pyosmocom>=0.0.12
-pyyaml>=5.1
+pyyaml>=5.4
 termcolor
 colorlog
 pycryptodomex
--- a/setup.py
+++ b/setup.py
@@ -26,7 +26,7 @@ setup(
        "construct >= 2.10.70",
        "bidict",
        "pyosmocom >= 0.0.12",
-        "pyyaml >= 5.1",
+        "pyyaml >= 5.4",
        "termcolor",
        "colorlog",
        "pycryptodomex",