Dependencies: update requirement pyyaml~=5.4 (#5060)

Earlier versions have critical security flaws that have been fixed in
`pyyaml==5.4`. Note that `plumpy` also needs to be upgraded to `0.20.0`
which adds support for this version of `pyyaml`.

The `UnsafeLoader` is replaced by the `Loader` which are identical, but
the former is only being kept as an alias for backwards compatibility
but it might be removed in future releases.

aiida/orm/utils/serialize.py

@@ -176,11 +176,11 @@ def represent_data(self, data):
         return super().represent_data(data)
 
 
-class AiiDALoader(yaml.UnsafeLoader):
+class AiiDALoader(yaml.Loader):
     """AiiDA specific yaml loader
 
-    .. note:: The `AiiDALoader` should only be used on trusted input, because it uses the `yaml.UnsafeLoader`. When
-        importing a shared database, we strip all process node checkpoints to avoid this being a security risk.
+    .. note:: The `AiiDALoader` should only be used on trusted input, since it uses the `yaml.Loader` which is not safe.
+        When importing a shared database, we strip all process node checkpoints to avoid this being a security risk.
     """
 
 
@@ -220,8 +220,7 @@ def serialize(data, encoding=None):
 def deserialize_unsafe(serialized):
     """Deserialize a yaml dump that represents a serialized data structure.
 
-    .. note:: This function should not be used on untrusted input, because
-        it is built upon `yaml.UnsafeLoader`.
+    .. note:: This function should not be used on untrusted input, since it is built upon `yaml.Loader` which is unsafe.
 
     :param serialized: a yaml serialized string representation
     :return: the deserialized data structure

environment.yml

@@ -25,13 +25,13 @@ dependencies:
 - numpy~=1.17
 - pamqp~=2.3
 - paramiko>=2.7.2,~=2.7
-- plumpy~=0.19.0
+- plumpy~=0.20.0
 - pgsu~=0.2.0
 - psutil~=5.6
 - psycopg2-binary~=2.8.3
 - python-dateutil~=2.8
 - pytz~=2021.1
-- pyyaml~=5.1
+- pyyaml~=5.4
 - reentry~=1.3
 - simplejson~=3.16
 - sqlalchemy-utils~=0.37.2

requirements/requirements-py-3.7.txt

@@ -88,7 +88,7 @@ pickleshare==0.7.5
 Pillow==8.2.0
 plotly==4.14.3
 pluggy==0.13.1
-plumpy==0.19.0
+plumpy==0.20.0
 prometheus-client==0.9.0
 prompt-toolkit==3.0.14
 psutil==5.8.0
@@ -118,7 +118,7 @@ python-editor==1.0.4
 python-memcached==1.59
 pytray==0.3.1
 pytz==2021.1
-PyYAML==5.1.2
+PyYAML==5.4.1
 pyzmq==22.0.2
 qtconsole==5.0.2
 QtPy==1.9.0

requirements/requirements-py-3.8.txt

@@ -87,7 +87,7 @@ pickleshare==0.7.5
 Pillow==8.2.0
 plotly==4.14.3
 pluggy==0.13.1
-plumpy==0.19.0
+plumpy==0.20.0
 prometheus-client==0.9.0
 prompt-toolkit==3.0.14
 psutil==5.8.0
@@ -117,7 +117,7 @@ python-editor==1.0.4
 python-memcached==1.59
 pytray==0.3.1
 pytz==2021.1
-PyYAML==5.1.2
+PyYAML==5.4.1
 pyzmq==22.0.2
 qtconsole==5.0.2
 QtPy==1.9.0

requirements/requirements-py-3.9.txt

@@ -87,7 +87,7 @@ pickleshare==0.7.5
 Pillow==8.2.0
 plotly==4.14.3
 pluggy==0.13.1
-plumpy==0.19.0
+plumpy==0.20.0
 prometheus-client==0.9.0
 prompt-toolkit==3.0.14
 psutil==5.8.0
@@ -117,7 +117,7 @@ python-editor==1.0.4
 python-memcached==1.59
 pytray==0.3.1
 pytz==2021.1
-PyYAML==5.1.2
+PyYAML==5.4.1
 pyzmq==22.0.2
 qtconsole==5.0.2
 QtPy==1.9.0

setup.json

@@ -39,13 +39,13 @@
         "numpy~=1.17",
         "pamqp~=2.3",
         "paramiko~=2.7,>=2.7.2",
-        "plumpy~=0.19.0",
+        "plumpy~=0.20.0",
         "pgsu~=0.2.0",
         "psutil~=5.6",
         "psycopg2-binary~=2.8.3",
         "python-dateutil~=2.8",
         "pytz~=2021.1",
-        "pyyaml~=5.1",
+        "pyyaml~=5.4",
         "reentry~=1.3",
         "simplejson~=3.16",
         "sqlalchemy-utils~=0.37.2",

tests/engine/processes/test_exit_code.py

@@ -39,7 +39,8 @@ def test_exit_code_serializability():
 
     exit_code = ExitCode()
     serialized = yaml.dump(exit_code)
-    deserialized = yaml.full_load(serialized)
+    # The default loaders are "safe" and won't load an ``ExitCode``, however, the ``Loader`` loader will.
+    deserialized = yaml.load(serialized, Loader=yaml.Loader)
 
     assert deserialized == exit_code
     assert isinstance(deserialized, ExitCode)

utils/requirements.txt

@@ -1,5 +1,5 @@
 click==7.1.2
 packaging==20.3
-pyyaml==5.1.2
+pyyaml==5.4.1
 requests==2.25.1
 tomlkit==0.7.2