Skip to content

Commit

Permalink
chore(deps): update dependency jinja2 to v3.1.5 [security] (#1575)
Browse files Browse the repository at this point in the history
This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [jinja2](https://redirect.github.com/pallets/jinja)
([changelog](https://jinja.palletsprojects.com/changes/)) | `3.1.4` ->
`3.1.5` |
[![age](https://developer.mend.io/api/mc/badges/age/pypi/jinja2/3.1.5?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/pypi/jinja2/3.1.5?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/pypi/jinja2/3.1.4/3.1.5?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/jinja2/3.1.4/3.1.5?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the warning logs for
more information.

### GitHub Vulnerability Alerts

####
[CVE-2024-56326](https://redirect.github.com/pallets/jinja/security/advisories/GHSA-q2x7-8rv6-6q7h)

An oversight in how the Jinja sandboxed environment detects calls to
`str.format` allows an attacker that controls the content of a template
to execute arbitrary Python code.

To exploit the vulnerability, an attacker needs to control the content
of a template. Whether that is the case depends on the type of
application using Jinja. This vulnerability impacts users of
applications which execute untrusted templates.

Jinja's sandbox does catch calls to `str.format` and ensures they don't
escape the sandbox. However, it's possible to store a reference to a
malicious string's `format` method, then pass that to a filter that
calls it. No such filters are built-in to Jinja, but could be present
through custom filters in an application. After the fix, such indirect
calls are also handled by the sandbox.

####
[CVE-2024-56201](https://redirect.github.com/pallets/jinja/security/advisories/GHSA-gmj6-6f8f-6699)

A bug in the Jinja compiler allows an attacker that controls both the
content and filename of a template to execute arbitrary Python code,
regardless of if Jinja's sandbox is used.

To exploit the vulnerability, an attacker needs to control both the
filename and the contents of a template. Whether that is the case
depends on the type of application using Jinja. This vulnerability
impacts users of applications which execute untrusted templates where
the template author can also choose the template filename.

---

### Release Notes

<details>
<summary>pallets/jinja (jinja2)</summary>

###
[`v3.1.5`](https://redirect.github.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-315)

[Compare
Source](https://redirect.github.com/pallets/jinja/compare/3.1.4...3.1.5)

Unreleased

-   Calling sync `render` for an async template uses `asyncio.run`.
    :pr:`1952`
-   Avoid unclosed `auto_aiter` warnings. :pr:`1960`
-   Return an `aclose`-able `AsyncGenerator` from
    `Template.generate_async`. :pr:`1960`
-   Avoid leaving `root_render_func()` unclosed in
    `Template.generate_async`. :pr:`1960`
- Avoid leaving async generators unclosed in blocks, includes and
extends.
    :pr:`1960`

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/GoogleCloudPlatform/generative-ai).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS44MC4wIiwidXBkYXRlZEluVmVyIjoiMzkuODAuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
renovate-bot authored Jan 2, 2025
1 parent afff98c commit 6299204
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion gemini/sample-apps/llamaindex-rag/pyproject.toml
Original file line number Diff line number Diff line change
@@ -101,7 +101,7 @@ iniconfig = "2.0.0"
installer = "0.7.0"
jaraco-classes = "3.4.0"
jeepney = "0.8.0"
jinja2 = "3.1.4"
jinja2 = "3.1.5"
joblib = "1.4.2"
jsonpatch = "1.33"
jsonpointer = "3.0.0"

0 comments on commit 6299204

Please sign in to comment.