What's Changed
- SECURITY: Cassettes are now loaded with a safe YAML loader, preventing arbitrary code execution when a cassette from an untrusted source is loaded. Previously a crafted cassette containing a Python object tag (e.g.
!!python/object/apply:os.system) would execute code on load, including via the normalvcr.use_cassette()path. Existing cassettes (including file-upload/streaming bodies) continue to load. Advisory: GHSA-rpj2-4hq8-938g — thanks @RamiAltai and @EQSTLab for the reports. - Validate
record_modeand raise a clear error on an invalid value (#208) - Recommend pytest-recording over the unmaintained pytest-vcr in the docs (#986)
Full Changelog: v8.2.0...v8.2.1