[requirements] bumping pyyaml to 5.1

[truthbk]

What does this PR do?

Bumps PyYaml to the latest 5.1.

Motivation

Enable new full_load() option for customers perhaps wanting to use that after load_all() was patched for security reasons.

Testing Guidelines

An overview on testing
is available in our contribution guidelines.

[hydrosquall]

Chiming in b/c I've been waiting on updating pyyaml in my own python package for a little while and have been following this issue closely since the 4.x release last summer, - since DD enforces an API boundary in ddyaml.py which monkey-patches yaml.load to be safe, it looks like the upgrade doesn't require any internal API rewrite.

However, there are some possible internal small internal breakages that will be patched in 5.2, as indicated in this release note: yaml/pyyaml#265

[truthbk]

Note: Further context on why the monkey patch has been kept in place follows. The pyyaml authors go on to say the following about the 5.1 release yaml/pyyaml#257):

We still recommend that people choose SafeLoader for untrusted data, but
aribitrary code execution will no longer be possible using yaml.load() with
the default loader (FullLoader). FullLoader will instantiate objects of classes
that you have imported. Since object instantiation runs the class's constructor code, that may be exploitable.

Because the FullLoader still presents some exploitable vector we will wait for 6.0, when yaml.load() will raise an exception if no loader is specified in the calling code, to remove the monkey patch.