From 15f5e8b9c696e65c88a2ad48f554f71c1505aec6 Mon Sep 17 00:00:00 2001 From: Quigley Malcolm Date: Fri, 23 Feb 2024 09:13:51 -0800 Subject: [PATCH] Upgrade Jinja2 dependency version specification to address CVE-2024-22195 (#9638) CVE-2024-22195 identified an issue in Jinja2 versions <= 3.1.2. As such we've gone and changed our dependency requirement specification to be 3.1.3 or greater (but less than 4). Note: Preivously we were using the `~=` version specifier. However due to some issues with the `~=` we've moved to using `>=` in combination with `<`. This gives us the same range that `~=` gave us, but avoids a pip resolution issue when multiple packages in an environment use `~=` for the same dependency. --- .changes/unreleased/Security-20240222-152445.yaml | 6 ++++++ core/setup.py | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 .changes/unreleased/Security-20240222-152445.yaml diff --git a/.changes/unreleased/Security-20240222-152445.yaml b/.changes/unreleased/Security-20240222-152445.yaml new file mode 100644 index 00000000000..5c92c452ab0 --- /dev/null +++ b/.changes/unreleased/Security-20240222-152445.yaml @@ -0,0 +1,6 @@ +kind: Security +body: Update Jinja2 to >= 3.1.3 to address CVE-2024-22195 +time: 2024-02-22T15:24:45.158305-08:00 +custom: + Author: QMalcolm + PR: CVE-2024-22195 diff --git a/core/setup.py b/core/setup.py index f1c6701844d..354bae13187 100644 --- a/core/setup.py +++ b/core/setup.py @@ -50,7 +50,7 @@ # dbt-core uses these packages deeply, throughout the codebase, and there have been breaking changes in past patch releases (even though these are major-version-one). # Pin to the patch or minor version, and bump in each new minor version of dbt-core. "agate~=1.7.0", - "Jinja2~=3.1.2", + "Jinja2>=3.1.3,<4", "mashumaro[msgpack]~=3.8.1", # ---- # Legacy: This package has not been updated since 2019, and it is unused in dbt's logging system (since v1.0)