fix: use yaml.safe_dump() and add pickle security warning (CWE-502) (#563)

Agent-Logs-Url: https://github.com/fabiocaccamo/python-benedict/sessions/1831baca-52a5-437a-b931-886a059e7683

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: fabiocaccamo <1035294+fabiocaccamo@users.noreply.github.com>

Author: Copilot

benedict/serializers/pickle.py

@@ -10,6 +10,10 @@
 class PickleSerializer(AbstractSerializer[str, Any]):
     """
     This class describes a pickle serializer.
+
+    Security warning: Pickle deserialization can execute arbitrary code.
+    Only use this serializer with data from trusted sources that you control.
+    Never deserialize pickle data received from untrusted or external sources.
     """
 
     @override
@@ -23,7 +27,7 @@ def __init__(self) -> None:
     @override
     def decode(self, s: str, **kwargs: Any) -> Any:
         encoding = kwargs.pop("encoding", "utf-8")
-        return pickle.loads(base64.b64decode(s.encode(encoding)), **kwargs)
+        return pickle.loads(base64.b64decode(s.encode(encoding)), **kwargs)  # nosec B301
 
     @override
     def encode(self, d: Any, **kwargs: Any) -> str:

benedict/serializers/yaml.py

@@ -45,5 +45,5 @@ def decode(self, s: str, **kwargs: Any) -> Any:
     def encode(self, d: Any, **kwargs: Any) -> str:
         require_yaml(installed=yaml_installed)
         d = self._json_serializer.decode(self._json_serializer.encode(d))
-        data = yaml.dump(d, **kwargs)
+        data = yaml.safe_dump(d, **kwargs)
         return cast("str", data)