Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency Jinja2 to v3 #23

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update dependency Jinja2 to v3 #23

wants to merge 1 commit into from

Conversation

mend-for-github-com[bot]
Copy link

@mend-for-github-com mend-for-github-com bot commented May 7, 2024
edited
Loading

This PR contains the following updates:

Package Update Change
Jinja2 (changelog) major ==2.11.2 -> ==3.1.5

By merging this PR, the below vulnerabilities will be automatically resolved:

Severity CVSS Score CVE
High High 8.8 CVE-2024-56201
Medium Medium 6.7 CVE-2024-56326
Medium Medium 5.4 CVE-2024-22195
Medium Medium 5.4 CVE-2024-34064
Medium Medium 5.3 CVE-2020-28493

Release Notes

pallets/jinja (Jinja2)

v3.1.5

Compare Source

Released 2024-12-21

  • The sandboxed environment handles indirect calls to str.format, such as
    by passing a stored reference to a filter that calls its argument.
    :ghsa:q2x7-8rv6-6q7h
  • Escape template name before formatting it into error messages, to avoid
    issues with names that contain f-string syntax.
    :issue:1792, :ghsa:gmj6-6f8f-6699
  • Sandbox does not allow clear and pop on known mutable sequence
    types. :issue:2032
  • Calling sync render for an async template uses asyncio.run.
    :pr:1952
  • Avoid unclosed auto_aiter warnings. :pr:1960
  • Return an aclose-able AsyncGenerator from
    Template.generate_async. :pr:1960
  • Avoid leaving root_render_func() unclosed in
    Template.generate_async. :pr:1960
  • Avoid leaving async generators unclosed in blocks, includes and extends.
    :pr:1960
  • The runtime uses the correct concat function for the current environment
    when calling block references. :issue:1701
  • Make |unique async-aware, allowing it to be used after another
    async-aware filter. :issue:1781
  • |int filter handles OverflowError from scientific notation.
    :issue:1921
  • Make compiling deterministic for tuple unpacking in a {% set ... %}
    call. :issue:2021
  • Fix dunder protocol (copy/pickle/etc) interaction with Undefined
    objects. :issue:2025
  • Fix copy/pickle support for the internal missing object.
    :issue:2027
  • Environment.overlay(enable_async) is applied correctly. :pr:2061
  • The error message from FileSystemLoader includes the paths that were
    searched. :issue:1661
  • PackageLoader shows a clearer error message when the package does not
    contain the templates directory. :issue:1705
  • Improve annotations for methods returning copies. :pr:1880
  • urlize does not add mailto: to values like @a@b. :pr:1870
  • Tests decorated with @pass_context`` can be used with the ``|select`` filter. :issue:1624`
  • Using set for multiple assignment (a, b = 1, 2) does not fail when the
    target is a namespace attribute. :issue:1413
  • Using set in all branches of {% if %}{% elif %}{% else %} blocks
    does not cause the variable to be considered initially undefined.
    :issue:1253

v3.1.4

Compare Source

Released 2024-05-05

  • The xmlattr filter does not allow keys with / solidus, >
    greater-than sign, or = equals sign, in addition to disallowing spaces.
    Regardless of any validation done by Jinja, user input should never be used
    as keys to this filter, or must be separately validated first.
    :ghsa:h75v-3vvj-5mfj

v3.1.3

Compare Source

Released 2024-01-10

  • Fix compiler error when checking if required blocks in parent templates are
    empty. :pr:1858
  • xmlattr filter does not allow keys with spaces. :ghsa:h5c8-rqwp-cp95
  • Make error messages stemming from invalid nesting of {% trans %} blocks
    more helpful. :pr:1918

v3.1.2

Compare Source

Released 2022-04-28

  • Add parameters to Environment.overlay to match __init__.
    :issue:1645
  • Handle race condition in FileSystemBytecodeCache. :issue:1654

v3.1.1

Compare Source

Released 2022-03-25

  • The template filename on Windows uses the primary path separator.
    :issue:1637

v3.1.0

Compare Source

Released 2022-03-24

  • Drop support for Python 3.6. :pr:1534

  • Remove previously deprecated code. :pr:1544

    • WithExtension and AutoEscapeExtension are built-in now.
    • contextfilter and contextfunction are replaced by
      pass_context. evalcontextfilter and
      evalcontextfunction are replaced by pass_eval_context.
      environmentfilter and environmentfunction are replaced
      by pass_environment.
    • Markup and escape should be imported from MarkupSafe.
    • Compiled templates from very old Jinja versions may need to be
      recompiled.
    • Legacy resolve mode for Context subclasses is no longer
      supported. Override resolve_or_missing instead of
      resolve.
    • unicode_urlencode is renamed to url_quote.

  • Add support for native types in macros. :issue:1510

  • The {% trans %} tag can use pgettext and npgettext by
    passing a context string as the first token in the tag, like
    {% trans "title" %}. :issue:1430

  • Update valid identifier characters from Python 3.6 to 3.7.
    :pr:1571

  • Filters and tests decorated with @async_variant are pickleable.
    :pr:1612

  • Add items filter. :issue:1561

  • Subscriptions ([0], etc.) can be used after filters, tests, and
    calls when the environment is in async mode. :issue:1573

  • The groupby filter is case-insensitive by default, matching
    other comparison filters. Added the case_sensitive parameter to
    control this. :issue:1463

  • Windows drive-relative path segments in template names will not
    result in FileSystemLoader and PackageLoader loading from
    drive-relative paths. :pr:1621

v3.0.3

Compare Source

Released 2021-11-09

  • Fix traceback rewriting internals for Python 3.10 and 3.11.
    :issue:1535
  • Fix how the native environment treats leading and trailing spaces
    when parsing values on Python 3.10. :pr:1537
  • Improve async performance by avoiding checks for common types.
    :issue:1514
  • Revert change to hash(Node) behavior. Nodes are hashed by id
    again :issue:1521
  • PackageLoader works when the package is a single module file.
    :issue:1512

v3.0.2

Compare Source

Released 2021-10-04

  • Fix a loop scoping bug that caused assignments in nested loops
    to still be referenced outside of it. :issue:1427
  • Make compile_templates deterministic for filter and import
    names. :issue:1452, 1453
  • Revert an unintended change that caused Undefined to act like
    StrictUndefined for the in operator. :issue:1448
  • Imported macros have access to the current template globals in async
    environments. :issue:1494
  • PackageLoader will not include a current directory (.) path
    segment. This allows loading templates from the root of a zip
    import. :issue:1467

v3.0.1

Compare Source

Released 2021-05-18

  • Update MarkupSafe dependency to >= 2.0. :pr:1418
  • Mark top-level names as exported so type checking understands
    imports in user projects. :issue:1426
  • Fix some types that weren't available in Python 3.6.0. :issue:1433
  • The deprecation warning for unneeded autoescape and with_
    extensions shows more relevant context. :issue:1429
  • Fixed calling deprecated jinja2.Markup without an argument.
    Use markupsafe.Markup instead. :issue:1438
  • Calling sync render for an async template uses asyncio.new_event_loop
    This fixes a deprecation that Python 3.10 introduces. :issue:1443

v3.0.0

Compare Source

Released 2021-05-11

  • Drop support for Python 2.7 and 3.5.

  • Bump MarkupSafe dependency to >=1.1.

  • Bump Babel optional dependency to >=2.1.

  • Remove code that was marked deprecated.

  • Add type hinting. :pr:1412

  • Use :pep:451 API to load templates with
    :class:~loaders.PackageLoader. :issue:1168

  • Fix a bug that caused imported macros to not have access to the
    current template's globals. :issue:688

  • Add ability to ignore trim_blocks using +%}. :issue:1036

  • Fix a bug that caused custom async-only filters to fail with
    constant input. :issue:1279

  • Fix UndefinedError incorrectly being thrown on an undefined variable
    instead of Undefined being returned on
    NativeEnvironment on Python 3.10. :issue:1335

  • Blocks can be marked as required. They must be overridden at
    some point, but not necessarily by the direct child. :issue:1147

  • Deprecate the autoescape and with extensions, they are
    built-in to the compiler. :issue:1203

  • The urlize filter recognizes mailto: links and takes
    extra_schemes (or env.policies["urlize.extra_schemes"]) to
    recognize other schemes. It tries to balance parentheses within a
    URL instead of ignoring trailing characters. The parsing in general
    has been updated to be more efficient and match more cases. URLs
    without a scheme are linked as https:// instead of http://.
    :issue:522, 827, 1172, :pr:1195

  • Filters that get attributes, such as map and groupby, can
    use a false or empty value as a default. :issue:1331

  • Fix a bug that prevented variables set in blocks or loops from
    being accessed in custom context functions. :issue:768

  • Fix a bug that caused scoped blocks from accessing special loop
    variables. :issue:1088

  • Update the template globals when calling
    Environment.get_template(globals=...) even if the template was
    already loaded. :issue:295

  • Do not raise an error for undefined filters in unexecuted
    if-statements and conditional expressions. :issue:842

  • Add is filter and is test tests to test if a name is a
    registered filter or test. This allows checking if a filter is
    available in a template before using it. Test functions can be
    decorated with @pass_environment, @pass_eval_context,
    or @pass_context. :issue:842, :pr:1248

  • Support pgettext and npgettext (message contexts) in i18n
    extension. :issue:441

  • The |indent filter's width argument can be a string to
    indent by. :pr:1167

  • The parser understands hex, octal, and binary integer literals.
    :issue:1170

  • Undefined.__contains__ (in) raises an UndefinedError
    instead of a TypeError. :issue:1198

  • Undefined is iterable in an async environment. :issue:1294

  • NativeEnvironment supports async mode. :issue:1362

  • Template rendering only treats \n, \r\n and \r as line
    breaks. Other characters are left unchanged. :issue:769, 952, 1313

  • |groupby filter takes an optional default argument.
    :issue:1359

  • The function and filter decorators have been renamed and unified.
    The old names are deprecated. :issue:1381

    • pass_context replaces contextfunction and
      contextfilter.
    • pass_eval_context replaces evalcontextfunction and
      evalcontextfilter
    • pass_environment replaces environmentfunction and
      environmentfilter.

  • Async support no longer requires Jinja to patch itself. It must
    still be enabled with Environment(enable_async=True).
    :issue:1390

  • Overriding Context.resolve is deprecated, override
    resolve_or_missing instead. :issue:1380

v2.11.3

Compare Source

Released 2021-01-31

  • Improve the speed of the urlize filter by reducing regex
    backtracking. Email matching requires a word character at the start
    of the domain part, and only word characters in the TLD. :pr:1343
  • If you want to rebase/retry this PR, check this box

@mend-for-github-com mend-for-github-com bot added the security fix Security fix generated by Mend label May 7, 2024
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/jinja2-3.x branch from 0df4988 to 0b854d5 Compare February 25, 2025 06:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
security fix Security fix generated by Mend
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants