From 11725296d685cf8ac5f24b81088e09552ae486d8 Mon Sep 17 00:00:00 2001
From: Quigley Malcolm <QMalcolm@users.noreply.github.com>
Date: Fri, 23 Feb 2024 08:53:09 -0800
Subject: [PATCH] Upgrade Jinja2 dependency version specification to address
 CVE-2024-22195 (#85)

CVE-2024-22195 identified an issue in Jinja2 versions <= 3.1.2. As such
we've gone and changed our dependency requirement specification to be
3.1.3 or greater (but less than 4).

Note: Preivously we were using the `~=` version specifier. However due
to some issues with the `~=` we've moved to using `>=` in combination
with `<`. This gives us the same range that `~=` gave us, but avoids
a pip resolution issue when multiple packages in an environment use `~=`
for the same dependency.
---
 pyproject.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pyproject.toml b/pyproject.toml
index 10104d46..8356db8e 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -31,7 +31,7 @@ dependencies = [
   "colorama>=0.3.9,<0.5",
   "isodate>=0.6,<0.7",
   "jsonschema~=4.0",
-  "Jinja2~=3.0",
+  "Jinja2>=3.1.3,<4",
   "mashumaro[msgpack]~=3.9",
   "pathspec>=0.9,<0.12",
   "protobuf>=4.0.0,<5.0.0",