5.4 release

2025-10-19 19:13:19 +00:00 · 2021-01-19 14:07:59 -05:00 · 2021-01-19 14:07:59 -05:00 · 58d0cb7ee0
commit 58d0cb7ee0
parent a60f7a19c0
6 changed files with 39 additions and 21 deletions
--- a/14
+++ b/14
@ -4,6 +4,14 @@ For a complete changelog, see:
 * https://github.com/yaml/pyyaml/commits/
 * https://bitbucket.org/xi/pyyaml/commits/
 5.4 (2021-01-19)
 * https://github.com/yaml/pyyaml/pull/407 -- Build modernization, remove distutils, fix metadata, build wheels, CI to GHA
 * https://github.com/yaml/pyyaml/pull/472 -- Fix for CVE-2020-14343, moves arbitrary python tags to UnsafeLoader
 * https://github.com/yaml/pyyaml/pull/441 -- Fix memory leak in implicit resolver setup
 * https://github.com/yaml/pyyaml/pull/392 -- Fix py2 copy support for timezone objects
 * https://github.com/yaml/pyyaml/pull/378 -- Fix compatibility with Jython
 5.3.1 (2020-03-18)
 * https://github.com/yaml/pyyaml/pull/386 -- Prevents arbitrary code execution during python/object/new constructor
@ -11,7 +19,7 @@ For a complete changelog, see:
 5.3 (2020-01-06)
 * https://github.com/yaml/pyyaml/pull/290 -- Use `is` instead of equality for comparing with `None`
-* https://github.com/yaml/pyyaml/pull/270 -- fix typos and stylistic nit
+* https://github.com/yaml/pyyaml/pull/270 -- Fix typos and stylistic nit
 * https://github.com/yaml/pyyaml/pull/309 -- Fix up small typo
 * https://github.com/yaml/pyyaml/pull/161 -- Fix handling of __slots__
 * https://github.com/yaml/pyyaml/pull/358 -- Allow calling add_multi_constructor with None
@ -21,8 +29,8 @@ For a complete changelog, see:
 * https://github.com/yaml/pyyaml/pull/359 -- Use full_load in yaml-highlight example
 * https://github.com/yaml/pyyaml/pull/244 -- Document that PyYAML is implemented with Cython
 * https://github.com/yaml/pyyaml/pull/329 -- Fix for Python 3.10
-* https://github.com/yaml/pyyaml/pull/310 -- increase size of index, line, and column fields
+* https://github.com/yaml/pyyaml/pull/310 -- Increase size of index, line, and column fields
-* https://github.com/yaml/pyyaml/pull/260 -- remove some unused imports
+* https://github.com/yaml/pyyaml/pull/260 -- Remove some unused imports
 * https://github.com/yaml/pyyaml/pull/163 -- Create timezone-aware datetimes when parsed as such
 * https://github.com/yaml/pyyaml/pull/363 -- Add tests for timezone
--- a/2
+++ b/2
@ -1,4 +1,4 @@
-Copyright (c) 2017-2020 Ingy döt Net
+Copyright (c) 2017-2021 Ingy döt Net
 Copyright (c) 2006-2016 Kirill Simonov
 Permission is hereby granted, free of charge, to any person obtaining a copy of
--- a/announcement.msg
+++ b/announcement.msg
@ -1,25 +1,34 @@
-From: Tina Müller <post@tinita.de>
+From: Ingy döt Net <ingy@ingy.net>
 To: python-list@python.org, python-announce@python.org, yaml-core@lists.sourceforge.net
-Subject: [ANN] PyYAML-5.3.1: YAML parser and emitter for Python
+Subject: [ANN] PyYAML-5.4 Released
-=======================
+=====================
-Announcing PyYAML-5.3.1
+Announcing PyYAML-5.4
-=======================
+=====================
 A new release of PyYAML is now available:
-https://pypi.org/project/PyYAML/
+https://github.com/yaml/pyyaml/releases/tag/5.4
-This release contains a security fix for CVE-2020-1747. FullLoader was still
+This release contains a security fix for CVE-2020-14343. It removes the
-exploitable for arbitrary command execution.
+python/module, python/object, and python/object/new tags from the FullLoader.
-https://bugzilla.redhat.com/show_bug.cgi?id=1807367
+YAML that uses these tags must be loaded by UnsafeLoader, or a custom loader
 that has explicitly enabled them.
 This release also adds Python wheels for manylinux1 (x86_64) and MacOS (x86_64)
 with the libyaml extension included (built on libyaml 0.2.5).
 PyYAML 5.4 will be the last release to support Python 2.7 (except for possible
 critical bug fix releases).
 Thanks to Riccardo Schirone (https://github.com/ret2libc) for both reporting
 this and providing the fixes to resolve it.
 Changes
 =======
-* https://github.com/yaml/pyyaml/pull/386 -- Prevents arbitrary code execution during python/object/new constructor
+* https://github.com/yaml/pyyaml/pull/407 -- build modernization, remove distutils, fix metadata, build wheels, CI to GHA
 * https://github.com/yaml/pyyaml/pull/472 -- fix for CVE-2020-14343, moves arbitrary python tags to UnsafeLoader
 * https://github.com/yaml/pyyaml/pull/441 -- fix memory leak in implicit resolver setup
 * https://github.com/yaml/pyyaml/pull/392 -- fix py2 copy support for timezone objects
 * https://github.com/yaml/pyyaml/pull/378 -- fix compatibility with Jython
 Resources
@ -55,6 +64,7 @@ files to object serialization and persistence.
 Example
 =======
 ```
 >>> import yaml
 >>> yaml.full_load("""
@ -72,7 +82,7 @@ name: PyYAML
 homepage: https://github.com/yaml/pyyaml
 description: YAML parser and emitter for Python
 keywords: [YAML, serialization, configuration, persistence, pickle]
-
+```
 Maintainers
 ===========
@ -89,7 +99,7 @@ See: https://github.com/yaml/pyyaml/pulls
 Copyright
 =========
-Copyright (c) 2017-2020 Ingy döt Net <ingy@ingy.net>
+Copyright (c) 2017-2021 Ingy döt Net <ingy@ingy.net>
 Copyright (c) 2006-2016 Kirill Simonov <xi@resolvent.net>
 The PyYAML module was written by Kirill Simonov <xi@resolvent.net>.
--- a/lib/yaml/init.py
+++ b/lib/yaml/init.py
@ -8,7 +8,7 @@ from nodes import *
 from loader import *
 from dumper import *
-__version__ = '5.4.0a0'
+__version__ = '5.4'
 try:
    from cyaml import *
--- a/lib3/yaml/init.py
+++ b/lib3/yaml/init.py
@ -8,7 +8,7 @@ from .nodes import *
 from .loader import *
 from .dumper import *
-__version__ = '5.4.0a0'
+__version__ = '5.4'
 try:
    from .cyaml import *
    __with_libyaml__ = True
--- a/setup.py
+++ b/setup.py
@ -1,6 +1,6 @@
 NAME = 'PyYAML'
-VERSION = '5.4.0a0'
+VERSION = '5.4'
 DESCRIPTION = "YAML parser and emitter for Python"
 LONG_DESCRIPTION = """\
 YAML is a data serialization format designed for human readability