4:37 a.m.
Hi,
Am Mo., 29. März 2021 um 18:24 Uhr schrieb Rich Megginson <
rmeggins(a)redhat.com>:
Some repos may give a dependabot warning about a CVE in a PyYAML
dependency:
https://github.com/linux-system-roles/template/security/dependabot/ansibl...
This is due to
https://github.com/linux-system-roles/template/blob/master/ansible_pytest...
PyYAML<5.1 ; python_version < "2.7"
I believe the last time I looked at this there was no supported PyYAML
>= version 5.4 for python 2.6.
Note that this only affects CI on python 2.6, and only for those roles
which have modules which require Ansible for unit testing.
If you are seeing this warning on your repo, and you don't need unit
testing using Ansible, just make this file an empty file.
Otherwise, it is safe to ignore this warning.
I just checked, it is actually possible to dismiss these warnings so nobody
needs to ignore them mentally and will get used to warnings being ignored.
For the network role I checked
https://github.com/linux-system-roles/network/security/dependabot
and when opening the actual warning, there is a dismiss button that allows
to select a version. I recommend to do this for all projects so we will
notice if a new, relevant warning is shown.
Thanks
Till
--
Till Maas
He/His/Him
Associate Manager, Software Engineering
NetworkManager, Nmstate, Ansible RHEL Networking System Role
Red Hat GmbH, https://de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael
O'Neill