Skip to content
This repository has been archived by the owner on Oct 27, 2021. It is now read-only.

[Security] Bump jinja2 from 2.8 to 2.10.1 #7

Closed
wants to merge 1 commit into from
Closed

[Security] Bump jinja2 from 2.8 to 2.10.1 #7

wants to merge 1 commit into from

Conversation

dependabot-preview[bot]
Copy link

Bumps jinja2 from 2.8 to 2.10.1. This update includes security fixes.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

High severity vulnerability that affects Jinja2 and jinja2
In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.

Affected versions: < 2.10.1

Release notes

Sourced from jinja2's releases.

2.10.1

2.10

Primary changes

Install or upgrade

Install from PyPI with pip:

pip install -U Jinja2

Changelog

  • Added a new extension node called OverlayScope which can be used to create an unoptimized scope that will look up all variables from a derived context.
  • Added an in test that works like the in operator. This can be used in combination with reject and select.
  • Added previtem and nextitem to loop contexts, providing access to the previous/next item in the loop. If such an item does not exist, the value is undefined.
  • Added changed(*values) to loop contexts, providing an easy way of checking whether a value has changed since the last iteration (or rather since the last call of the method)
  • Added a namespace function that creates a special object which allows attribute assignment using the set tag. This can be used to carry data across scopes, e.g. from a loop body to code that comes after the loop.
  • Added a trimmed modifier to {% trans %} to strip linebreaks and surrounding whitespace. Also added a new policy to enable this for all trans blocks.
  • The random filter is no longer incorrectly constant folded and will produce a new random choice each time the template is rendered. (#478)
  • Added a unique filter. (#469)
  • Added min and max filters. (#475)
  • Added tests for all comparison operators: eq, ne, lt, le, gt, ge. (#665)
  • import statement cannot end with a trailing comma. (#617, #618)
  • indent filter will not indent blank lines by default. (#685)
  • Add reverse argument for dictsort filter. (#692)
  • Add a NativeEnvironment that renders templates to native Python types instead of strings. (#708)
  • Added filter support to the block set tag. (#489)
  • tojson filter marks output as safe to match documented behavior. (#718)
  • Resolved a bug where getting debug locals for tracebacks could modify template context.
  • Fixed a bug where having many {% elif ... %} blocks resulted in a "too many levels of indentation" error. These blocks now compile to native elif ..: instead of else: if ..: (#759)
Changelog

Sourced from jinja2's changelog.

Version 2.10.1

Released 2019-04-06

  • SandboxedEnvironment securely handles str.format_map in order to prevent code execution through untrusted format strings. The sandbox already handled str.format.

Version 2.10

released on November 8th 2017

  • Added a new extension node called OverlayScope which can be used to create an unoptimized scope that will look up all variables from a derived context.
  • Added an in test that works like the in operator. This can be used in combination with reject and select.
  • Added previtem and nextitem to loop contexts, providing access to the previous/next item in the loop. If such an item does not exist, the value is undefined.
  • Added changed(*values) to loop contexts, providing an easy way of checking whether a value has changed since the last iteration (or rather since the last call of the method)
  • Added a namespace function that creates a special object which allows attribute assignment using the set tag. This can be used to carry data across scopes, e.g. from a loop body to code that comes after the loop.
  • Added a trimmed modifier to {% trans %} to strip linebreaks and surrounding whitespace. Also added a new policy to enable this for all trans blocks.
  • The random filter is no longer incorrectly constant folded and will produce a new random choice each time the template is rendered. (#478)
  • Added a unique filter. (#469)
  • Added min and max filters. (#475)
  • Added tests for all comparison operators: eq, ne, lt, le, gt, ge. (#665)
  • import statement cannot end with a trailing comma. (#617, #618)
  • indent filter will not indent blank lines by default. (#685)
  • Add reverse argument for dictsort filter. (#692)
  • Add a NativeEnvironment that renders templates to native Python types instead of strings. (#708)
  • Added filter support to the block set tag. (#489)
  • tojson filter marks output as safe to match documented behavior. (#718)
  • Resolved a bug where getting debug locals for tracebacks could modify template context.
  • Fixed a bug where having many {% elif ... %} blocks resulted in a "too many levels of indentation" error. These blocks now compile to native elif ..: instead of else: if ..: (#759)

Version 2.9.6

(bugfix release, released on April 3rd 2017)

  • Fixed custom context behavior in fast resolve mode (#675)

Version 2.9.5

(bugfix release, released on January 28th 2017)

  • Restored the original repr of the internal _GroupTuple because this caused issues with ansible and it was an unintended change. (#654)
  • Added back support for custom contexts that override the old resolve method since it was hard for people to spot that this could cause a regression.
  • Correctly use the buffer for the else block of for loops. This caused invalid syntax errors to be caused on 2.x and completely wrong behavior on Python 3 (#669)
  • Resolve an issue where the {% extends %} tag could not be used with async environments. (#668)
  • Reduce memory footprint slightly by reducing our unicode database dump we use for identifier matching on Python 3 (#666)
  • Fixed autoescaping not working for macros in async compilation mode. (#671)
... (truncated)
Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Note: This repo was added to Dependabot recently, so you'll receive a maximum of 5 PRs for your first few update runs. Once an update run creates fewer than 5 PRs we'll remove that limit.

You can always request more updates by clicking Bump now in your Dependabot dashboard.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

  • Update frequency (including time of day and day of week)
  • Pull request limits (per update run and/or open at any time)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.

@dependabot-preview
[Security] Bump jinja2 from 2.8 to 2.10.1
089835f 
Bumps [jinja2](https://github.com/mitsuhiko/jinja2) from 2.8 to 2.10.1. **This update includes security fixes.**
- [Release notes](https://github.com/mitsuhiko/jinja2/releases)
- [Changelog](https://github.com/pallets/jinja/blob/master/CHANGES.rst)
- [Commits](pallets/jinja@2.8...2.10.1)

Signed-off-by: dependabot-preview[bot] <[email protected]>
@dependabot-preview dependabot-preview bot added dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability labels Jun 20, 2019
@dependabot-preview
Copy link
Author

Superseded by #120.

@dependabot-preview dependabot-preview bot deleted the dependabot/pip/jinja2-2.10.1 branch March 19, 2021 21:32
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants