All contributions to ruyaml are welcome. Please post an issue or, if possible, a pull request (PR) on github.

Please don’t use issues to post support questions.

TODO:: The maintainers of ruyaml don’t have an official support channel yet.


The documentation for ruyaml is written in the ReStructured Text format and follows the Sphinx Document Generator’s conventions.


Code changes are welcome as well, but anything beyond a minor change should be tested (tox/pytest), checked for typing conformance (mypy) and pass pep8 conformance (flake8).

In my experience it is best to use two virtualenv environments, one with the latest Python from the 2.7 series, the other with 3.5 or 3.6. In the site-packages directory of each virtualenv make a soft link to the ruyaml directory of your (cloned and checked out) copy of the repository. Do not under any circumstances run pip install -e . or python -e . it will not work (at least not until these commands are fixed to support packages with namespaces).

You can install tox, pytest, mypy and flake8 in the Python3 virtualenv, or in a virtualenv of their own. If all of these commands pass without warning/error, you can create your pull-request.


The Flake8 configuration is part of

show-source = True
max-line-length = 95
ignore = F405

The suppress of F405 is necessary to allow from xxx import *.

Please make sure your checked out source passes flake8 without test (it should). Then make your changes pass without any warnings/errors.


Whether you add something or fix some bug with your code changes, first add one or more tests that fail in the unmodified source when running tox. Once that is in place add your code, which should have as a result that your added test(s) no longer fail, and neither should any other existing tests.


You should run mypy from ruyaml’s source directory:

mypy --strict --follow-imports silent lib/ruyaml/*.py

This command should give no errors or warnings.


If you find a vulnerability in ruyaml (e.g. that would show the safe and rt loader are not safe due to a bug in the software)), please contact the maintainers directly via email.

After the vulnerability is removed, and affected parties notified to allow them to update versions, the vulnerability will be published, and your role in finding/resolving this properly attributed.