Thanks!  I have suppressed this error in all repos.

On 4/1/21 3:37 AM, Till Maas wrote:
Hi,

Am Mo., 29. März 2021 um 18:24 Uhr schrieb Rich Megginson <rmeggins@redhat.com>:
Some repos may give a dependabot warning about a CVE in a PyYAML
dependency:
https://github.com/linux-system-roles/template/security/dependabot/ansible_pytest_extra_requirements.txt/PyYAML/open

This is due to
https://github.com/linux-system-roles/template/blob/master/ansible_pytest_extra_requirements.txt#L7

PyYAML<5.1 ; python_version < "2.7"

I believe the last time I looked at this there was no supported PyYAML
 >= version 5.4 for python 2.6.

Note that this only affects CI on python 2.6, and only for those roles
which have modules which require Ansible for unit testing.

If you are seeing this warning on your repo, and you don't need unit
testing using Ansible, just make this file an empty file.

Otherwise, it is safe to ignore this warning.

I just checked, it is actually possible to dismiss these warnings so nobody needs to ignore them mentally and will get used to warnings being ignored. For the network role I checked

https://github.com/linux-system-roles/network/security/dependabot
 
and when opening the actual warning, there is a dismiss button that allows to select a version. I recommend to do this for all projects so we will notice if a new, relevant warning is shown.

Thanks
Till


--
Till Maas
He/His/Him
Associate Manager, Software Engineering
NetworkManager, Nmstate, Ansible RHEL Networking System Role

Red Hat GmbH, https://de.redhat.com/, Registered seat: Grasbrunn, 
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'Neill