5.4 release

Author: ingydotnet

CHANGES

@@ -4,14 +4,22 @@ For a complete changelog, see:
 * https://github.com/yaml/pyyaml/commits/
 * https://bitbucket.org/xi/pyyaml/commits/
 
+5.4 (2021-01-19)
+
+* https://github.com/yaml/pyyaml/pull/407 -- Build modernization, remove distutils, fix metadata, build wheels, CI to GHA
+* https://github.com/yaml/pyyaml/pull/472 -- Fix for CVE-2020-14343, moves arbitrary python tags to UnsafeLoader
+* https://github.com/yaml/pyyaml/pull/441 -- Fix memory leak in implicit resolver setup
+* https://github.com/yaml/pyyaml/pull/392 -- Fix py2 copy support for timezone objects
+* https://github.com/yaml/pyyaml/pull/378 -- Fix compatibility with Jython
+
 5.3.1 (2020-03-18)
 
 * https://github.com/yaml/pyyaml/pull/386 -- Prevents arbitrary code execution during python/object/new constructor
 
 5.3 (2020-01-06)
 
 * https://github.com/yaml/pyyaml/pull/290 -- Use `is` instead of equality for comparing with `None`
-* https://github.com/yaml/pyyaml/pull/270 -- fix typos and stylistic nit
+* https://github.com/yaml/pyyaml/pull/270 -- Fix typos and stylistic nit
 * https://github.com/yaml/pyyaml/pull/309 -- Fix up small typo
 * https://github.com/yaml/pyyaml/pull/161 -- Fix handling of __slots__
 * https://github.com/yaml/pyyaml/pull/358 -- Allow calling add_multi_constructor with None
@@ -21,8 +29,8 @@ For a complete changelog, see:
 * https://github.com/yaml/pyyaml/pull/359 -- Use full_load in yaml-highlight example
 * https://github.com/yaml/pyyaml/pull/244 -- Document that PyYAML is implemented with Cython
 * https://github.com/yaml/pyyaml/pull/329 -- Fix for Python 3.10
-* https://github.com/yaml/pyyaml/pull/310 -- increase size of index, line, and column fields
-* https://github.com/yaml/pyyaml/pull/260 -- remove some unused imports
+* https://github.com/yaml/pyyaml/pull/310 -- Increase size of index, line, and column fields
+* https://github.com/yaml/pyyaml/pull/260 -- Remove some unused imports
 * https://github.com/yaml/pyyaml/pull/163 -- Create timezone-aware datetimes when parsed as such
 * https://github.com/yaml/pyyaml/pull/363 -- Add tests for timezone
 

LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2017-2020 Ingy döt Net
+Copyright (c) 2017-2021 Ingy döt Net
 Copyright (c) 2006-2016 Kirill Simonov
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of

announcement.msg

@@ -1,25 +1,34 @@
-From: Tina Müller <post@tinita.de>
+From: Ingy döt Net <ingy@ingy.net>
 To: python-list@python.org, python-announce@python.org, yaml-core@lists.sourceforge.net
-Subject: [ANN] PyYAML-5.3.1: YAML parser and emitter for Python
+Subject: [ANN] PyYAML-5.4 Released
 
-=======================
-Announcing PyYAML-5.3.1
-=======================
+=====================
+Announcing PyYAML-5.4
+=====================
 
 A new release of PyYAML is now available:
-https://pypi.org/project/PyYAML/
+https://github.com/yaml/pyyaml/releases/tag/5.4
 
-This release contains a security fix for CVE-2020-1747. FullLoader was still
-exploitable for arbitrary command execution.
-https://bugzilla.redhat.com/show_bug.cgi?id=1807367
+This release contains a security fix for CVE-2020-14343. It removes the
+python/module, python/object, and python/object/new tags from the FullLoader.
+YAML that uses these tags must be loaded by UnsafeLoader, or a custom loader
+that has explicitly enabled them.
+
+This release also adds Python wheels for manylinux1 (x86_64) and MacOS (x86_64)
+with the libyaml extension included (built on libyaml 0.2.5).
+
+PyYAML 5.4 will be the last release to support Python 2.7 (except for possible
+critical bug fix releases).
 
-Thanks to Riccardo Schirone (https://github.com/ret2libc) for both reporting
-this and providing the fixes to resolve it.
 
 Changes
 =======
 
-* https://github.com/yaml/pyyaml/pull/386 -- Prevents arbitrary code execution during python/object/new constructor
+* https://github.com/yaml/pyyaml/pull/407 -- build modernization, remove distutils, fix metadata, build wheels, CI to GHA
+* https://github.com/yaml/pyyaml/pull/472 -- fix for CVE-2020-14343, moves arbitrary python tags to UnsafeLoader
+* https://github.com/yaml/pyyaml/pull/441 -- fix memory leak in implicit resolver setup
+* https://github.com/yaml/pyyaml/pull/392 -- fix py2 copy support for timezone objects
+* https://github.com/yaml/pyyaml/pull/378 -- fix compatibility with Jython
 
 
 Resources
@@ -55,6 +64,7 @@ files to object serialization and persistence.
 Example
 =======
 
+```
 >>> import yaml
 
 >>> yaml.full_load("""
@@ -72,7 +82,7 @@ name: PyYAML
 homepage: https://github.com/yaml/pyyaml
 description: YAML parser and emitter for Python
 keywords: [YAML, serialization, configuration, persistence, pickle]
-
+```
 
 Maintainers
 ===========
@@ -89,7 +99,7 @@ See: https://github.com/yaml/pyyaml/pulls
 Copyright
 =========
 
-Copyright (c) 2017-2020 Ingy döt Net <ingy@ingy.net>
+Copyright (c) 2017-2021 Ingy döt Net <ingy@ingy.net>
 Copyright (c) 2006-2016 Kirill Simonov <xi@resolvent.net>
 
 The PyYAML module was written by Kirill Simonov <xi@resolvent.net>.

lib/yaml/__init__.py

@@ -8,7 +8,7 @@
 from loader import *
 from dumper import *
 
-__version__ = '5.4.0a0'
+__version__ = '5.4'
 
 try:
  from cyaml import *

lib3/yaml/__init__.py

@@ -8,7 +8,7 @@
 from .loader import *
 from .dumper import *
 
-__version__ = '5.4.0a0'
+__version__ = '5.4'
 try:
  from .cyaml import *
  __with_libyaml__ = True

setup.py

@@ -1,6 +1,6 @@
 
 NAME = 'PyYAML'
-VERSION = '5.4.0a0'
+VERSION = '5.4'
 DESCRIPTION = "YAML parser and emitter for Python"
 LONG_DESCRIPTION = """\
 YAML is a data serialization format designed for human readability