Jesus Michał von Gentoo 🏔 (he)1d ago

Fun fact: #Azure Pipelines don't support #YAML files with anchors/aliases.

Also fun fact: both #PyYAML and #RuamelYAML *insist* on emitting anchors/aliases, and at least the PyYAML authors seem pretty, errr, opinionated on emitting them.

https://github.com/yaml/pyyaml/issues/535

#Python

I don't want Anchors Point. What should I do? · Issue #535 · yaml/pyyaml

When using yaml. dump(), the output yaml file contains anchor points, which is unacceptable to me. What should I do?

GitHub
Python PeakJan 12

YAML Load Executes Arbitrary Code Compromising 470 Servers?!

YAML RCE APOCALYPSE! yaml.load() executes Python! Attacker uploads malicious config! Backdoor on all servers! 4.7M database exfiltrated! $47M breach! CISO ARRESTED!

#python #pythondisaster #yaml #remotecodeexecution #configloading #productionbug #pythonshorts #pythonwtf #deserialization #careerending #criminalcharges #pyyaml

https://www.youtube.com/watch?v=Lvvwf-SaDeE

YAML Load Executes Arbitrary Code Compromising 470 Servers?! #YAML

YouTube
Felix MoessbauerJun 17, 2025
Just stumbled upon some oddities in #PyYAML and the #YAML 1.1 spec when working on a bug report of #kas. Asked an #LLM and argued with it. TL;DR: Always check the answers against the actual spec.
#oss
Jezus Michał "Le Wzdych" (on)May 28, 2025

Projekt #PyYAML odrzucił wsparcie dla Pythona bez GIL (#freethreading). Skutkiem tego, powstał fork skupiony na dodaniu tego wsparcia. Ze względu na ograniczone potrzeby forka, wspiera on tylko Pythona 3.13+. A że nie da się jeszcze wyrażać zależności warunkowo od wersji freethreading, inne paczki wymagają PyYAML-ft dla wersji Pythona >=3.13 (w tym zwyczajnej, z GIL-em) i zwykłego PyYAML dla <3.13.

Czy świat paczek Pythona nie jest super?

https://github.com/yaml/pyyaml/pull/830#issuecomment-2342475334
https://github.com/Instagram/LibCST/blob/18d4f6aded907bd11b683fa54dad32ca04f84f75/pyproject.toml#L21-L24

#Gentoo #Python

Add free-threading support by FFY00 · Pull Request #830 · yaml/pyyaml

GitHub
Jesus Michał von Gentoo 🏔 (he)May 28, 2025

#PyYAML rejected #freethreading support. As a result, a new fork has been created with freethreading support. Given the fork's focus on freethreading, it supports only Python 3.13+. Given the lack of environment markers for freethreading (yet), packages end up depending on PyYAML-ft for >=3.13 (including non-freethreading builds), and PyYAML for <3.13.

Isn't #Python #packaging great?

https://github.com/yaml/pyyaml/pull/830#issuecomment-2342475334
https://github.com/Instagram/LibCST/blob/18d4f6aded907bd11b683fa54dad32ca04f84f75/pyproject.toml#L21-L24

#Gentoo

Add free-threading support by FFY00 · Pull Request #830 · yaml/pyyaml

GitHub
Andreas@GPN 🌈Apr 7, 2025
#PyYaml -> 🚮 slow, slower, slowest
Matthew MartinFeb 5, 2024

This library is depended on by a 867 packages ( #pyyaml , requests, hypothesis ), has a bogus CVE and is abandonware.

That's a bit under 1000 releases not counting the iceberg of closed source.

Who files these bogus CVEs, it is like setting $10,000 on fire, but in $100 piles all across the country.

https://pypi.org/project/py/

https://libraries.io/pypi/py

#python

py

library with cross-python path, ini-parsing, io, code, log facilities

PyPI
Show threadsumanthvepaOct 27, 2023
@orsinium Interesting. I presume you mean this problem with #PyYAML. I hadn't considered #TOML. Will take a look at it. conhttps://stackoverflow.com/questions/76707475/issue-importing-pyyaml-cltk
XaviSep 24, 2023

ℹ️ He actualitzat #PyXavi a la versió v0.3.3, sol.lucionant un problema de dependències amb #PyYaml, que van publicar la 6.0 que al seu torn està trencada i es sol.luciona amb la 6.0.1

La versió ja està publicada a #PyPI
https://pypi.org/project/pyxavi/

Coses de #Python 

pyxavi

Set of utilities to assist on simple Python projects

PyPI
Show thread뚜룬(独轮)Sep 7, 2023

그냥 귀찮아서 잘 알아보지 않고 pyyaml을 설치했다. import yaml 잘 되네.

#yaml #pyyaml #python