From 62f1e82e032eb16565e676d39e0db0cac7e34ace Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Carlos=20Mochol=C3=AD?= <carlossmocholi@gmail.com>
Date: Fri, 17 Dec 2021 21:27:15 +0100
Subject: [PATCH] Fix CVE-2020-1747 and CVE-2020-14343 (#11099)

---
 CHANGELOG.md                     | 4 ++--
 pytorch_lightning/core/saving.py | 2 +-
 requirements.txt                 | 2 +-
 tests/loggers/test_csv.py        | 2 --
 4 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9990bff5f2153..5dec23f7db216 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -293,10 +293,10 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 
 ### Fixed
 
-- Fixed a bug to disable logging hyperparameters in logger if there are no hparams ([#11105](https://github.com/PyTorchLightning/pytorch-lightning/issues/11105))
+- Fixed security vulnerabilities CVE-2020-1747 and CVE-2020-14343 caused by the `PyYAML` dependency ([#11099](https://github.com/PyTorchLightning/pytorch-lightning/pull/11099))
 
 
--
+- Fixed a bug to disable logging hyperparameters in logger if there are no hparams ([#11105](https://github.com/PyTorchLightning/pytorch-lightning/issues/11105))
 
 
 - Avoid the deprecated `onnx.export(example_outputs=...)` in torch 1.10 ([#11116](https://github.com/PyTorchLightning/pytorch-lightning/pull/11116))
diff --git a/pytorch_lightning/core/saving.py b/pytorch_lightning/core/saving.py
index 4d9c820dfefc3..8bc751fe0d99f 100644
--- a/pytorch_lightning/core/saving.py
+++ b/pytorch_lightning/core/saving.py
@@ -344,7 +344,7 @@ def load_hparams_from_yaml(config_yaml: str, use_omegaconf: bool = True) -> Dict
         return {}
 
     with fs.open(config_yaml, "r") as fp:
-        hparams = yaml.load(fp, Loader=yaml.UnsafeLoader)
+        hparams = yaml.full_load(fp)
 
     if _OMEGACONF_AVAILABLE:
         if use_omegaconf:
diff --git a/requirements.txt b/requirements.txt
index 94b7151d73641..c708817bfe9b3 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -4,7 +4,7 @@ numpy>=1.17.2
 torch>=1.7.*
 future>=0.17.1  # required for builtins in setup.py
 tqdm>=4.41.0
-PyYAML>=5.1
+PyYAML>=5.4
 fsspec[http]>=2021.05.0, !=2021.06.0
 tensorboard>=2.2.0
 torchmetrics>=0.4.1
diff --git a/tests/loggers/test_csv.py b/tests/loggers/test_csv.py
index 1985bbe7ef25d..b5aae1dba8f9e 100644
--- a/tests/loggers/test_csv.py
+++ b/tests/loggers/test_csv.py
@@ -12,7 +12,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 import os
-from argparse import Namespace
 from unittest.mock import MagicMock
 
 import pytest
@@ -95,7 +94,6 @@ def test_file_logger_log_hyperparams(tmpdir):
         "bool": True,
         "dict": {"a": {"b": "c"}},
         "list": [1, 2, 3],
-        "namespace": Namespace(foo=Namespace(bar="buzz")),
         "layer": torch.nn.BatchNorm1d,
     }
     logger.log_hyperparams(hparams)