{"id":14844,"library":"pyyml","title":"PyYML (Python in YAML)","description":"This library, `pyyml` (version 0.0.2), aims to integrate Python code execution directly within YAML documents. Released in 2019, it appears to be an unmaintained project with its last release several years ago, focusing on enabling Python names and expressions to be evaluated during YAML loading. This functionality, while seemingly powerful, introduces significant security vulnerabilities, as arbitrary Python code can be executed from untrusted YAML sources. It is distinct from the widely used and actively maintained `PyYAML` library.","status":"abandoned","version":"0.0.2","language":"en","source_language":"en","source_url":"https://github.com/q1394168335/pyyml","tags":["yaml","configuration","serialization","deserialization","security-risk","abandoned"],"install":[{"cmd":"pip install pyyml","lang":"bash","label":"Install pyyml"}],"dependencies":[],"imports":[{"note":"Used for loading YAML documents that may contain Python code or references.","symbol":"PythonLoader","correct":"from pyyml.pyyml import PythonLoader"},{"note":"Used for dumping Python objects into YAML, potentially serializing Python-specific tags.","symbol":"PythonDumper","correct":"from pyyml.pyyml import PythonDumper"},{"note":"The core YAML library (likely PyYAML) used by pyyml for underlying parsing/emitting.","symbol":"yaml","correct":"import yaml"}],"quickstart":{"code":"import yaml\nfrom pyyml.pyyml import PythonLoader, PythonDumper\n\n# Example YAML with Python code (!!python/eval and !!python/name)\nyaml_string = \"\"\"\nmessage: !!python/eval \"'Hello, ' + 'World!'\"\nversion_info: !!python/name 'sys.version_info'\ncalculate: !!python/eval \"lambda x, y: x + y\"\n\"\"\"\n\n# Load the YAML using PythonLoader\ndata = yaml.load(yaml_string, Loader=PythonLoader)\n\nprint(f\"Message: {data['message']}\")\nprint(f\"Python Version Info: {data['version_info']}\")\nprint(f\"Calculation (5 + 3): {data['calculate'](5, 3)}\")\n\n# Example of dumping (if PythonDumper is used for custom types)\npython_data = {\n    'my_list': [1, 2, 3],\n    'my_tuple': (4, 5),\n    'my_set': {6, 7}\n}\n# Note: PythonDumper may not handle all arbitrary Python objects without custom constructors/representers.\n# For simple types, it behaves like SafeDumper.\ndumped_yaml = yaml.dump(python_data, Dumper=PythonDumper, default_flow_style=False)\nprint(\"\\nDumped YAML:\")\nprint(dumped_yaml)\n","lang":"python","description":"This quickstart demonstrates how to load a YAML string containing Python evaluation tags (`!!python/eval`) and name references (`!!python/name`) using `pyyml`'s `PythonLoader`. It also shows a basic example of dumping Python data using `PythonDumper`."},"warnings":[{"fix":"It is strongly recommended to avoid using `pyyml`. For safe YAML parsing and emitting, use the actively maintained `PyYAML` library and specifically its `yaml.safe_load()` and `yaml.safe_dump()` functions, or `yaml.load(..., Loader=yaml.FullLoader)` for more features with reasonable security. If embedding Python logic is absolutely necessary, consider safer alternatives like configuration files that are parsed by custom Python scripts rather than executed directly by a YAML loader.","message":"The `pyyml` library is extremely old (last release 2019) and appears to be unmaintained. It is not compatible with modern Python practices or security standards. Use of this library may lead to unexpected behavior or system instability on newer Python versions.","severity":"breaking","affected_versions":"All versions (0.0.2)"},{"fix":"NEVER use `pyyml` with YAML files from untrusted sources. If you must use it in a highly controlled environment, ensure all YAML input is meticulously validated and comes from a fully trusted, internal source. Even then, consider if this functionality is truly necessary or if a more secure design pattern (e.g., dedicated configuration parsing logic) could be used.","message":"Using `pyyml` for 'Python in YAML' introduces severe security vulnerabilities. The `PythonLoader` explicitly enables the execution of arbitrary Python code (via `!!python/eval` and `!!python/name`) during YAML loading. This means that processing untrusted YAML input with `pyyml` can lead to remote code execution (RCE) or other malicious activities.","severity":"breaking","affected_versions":"All versions (0.0.2)"},{"fix":"If you intend to use the standard Python YAML library, install `PyYAML` (`pip install PyYAML`). If you are experimenting with `pyyml`, understand it's a separate, likely abandoned, project and may require `PyYAML` as an underlying dependency (though not explicitly listed in `pyyml`'s `setup.py`, its code directly uses `import yaml`).","message":"The `pyyml` library is distinct from `PyYAML`, the widely adopted YAML parser. Installing `pyyml` will not give you the `PyYAML` package, and vice-versa. Attempting to use `import yaml` after only installing `pyyml` will likely result in an `ImportError` if `PyYAML` is not also installed.","severity":"gotcha","affected_versions":"All versions (0.0.2)"}],"env_vars":null,"last_verified":"2026-04-15T00:00:00.000Z","next_check":"2026-07-14T00:00:00.000Z","problems":[],"ecosystem":"pypi"}