From 6a8a32d3a8310fbc564a649a389919ea2029ae6d Mon Sep 17 00:00:00 2001 From: alfarel Date: Mon, 25 May 2026 22:24:03 -0400 Subject: [PATCH] convert-scheme: do not allow arbitrary python code execution Probably not relevant, but there doesn't seem to be a reason to use the full loader as far as I can tell... --- packages/convert-scheme/package.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/convert-scheme/package.nix b/packages/convert-scheme/package.nix index eae23c9..121a54c 100644 --- a/packages/convert-scheme/package.nix +++ b/packages/convert-scheme/package.nix @@ -9,7 +9,7 @@ pkgs.writers.writePython3Bin "convert-scheme" { def yaml_to_json(yaml_file, json_file): with open(yaml_file, 'r') as yml_file: - data = yaml.load(yml_file, Loader=yaml.FullLoader) + data = yaml.safe_load(yml_file) with open(json_file, 'w') as json_file: json.dump(data, json_file, indent=4)