Skip to content

Commit

Permalink
Upgrade Jinja2 dependency version specification to address CVE-2024-2…
Browse files Browse the repository at this point in the history 
…2195 (#85)

CVE-2024-22195 identified an issue in Jinja2 versions <= 3.1.2. As such
we've gone and changed our dependency requirement specification to be
3.1.3 or greater (but less than 4).

Note: Preivously we were using the `~=` version specifier. However due
to some issues with the `~=` we've moved to using `>=` in combination
with `<`. This gives us the same range that `~=` gave us, but avoids
a pip resolution issue when multiple packages in an environment use `~=`
for the same dependency.
  • Loading branch information
@QMalcolm
QMalcolm authored Feb 23, 2024
1 parent c61d318 commit 1172529
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion pyproject.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ dependencies = [
"colorama>=0.3.9,<0.5",
"isodate>=0.6,<0.7",
"jsonschema~=4.0",
"Jinja2~=3.0",
"Jinja2>=3.1.3,<4",
"mashumaro[msgpack]~=3.9",
"pathspec>=0.9,<0.12",
"protobuf>=4.0.0,<5.0.0",
Expand Down

0 comments on commit 1172529

Please sign in to comment.