Skip to content

Commit 10730fd

Browse files
pulumi-renovate[bot]pulumi-renovate[bot]
authored
Update dependency Jinja2 to v3.1.6 [SECURITY] (#2057)
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [Jinja2](https://redirect.github.com/pallets/jinja) ([changelog](https://jinja.palletsprojects.com/changes/)) | patch | `==3.1.5` -> `==3.1.6` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. ### GitHub Vulnerability Alerts #### [CVE-2025-27516](https://redirect.github.com/pallets/jinja/security/advisories/GHSA-cpwx-vrp4-4pq7) An oversight in how the Jinja sandboxed environment interacts with the `|attr` filter allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to use the `|attr` filter to get a reference to a string's plain format method, bypassing the sandbox. After the fix, the `|attr` filter no longer bypasses the environment's attribute lookup. --- ### Release Notes <details> <summary>pallets/jinja (Jinja2)</summary> ### [`v3.1.6`](https://redirect.github.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-316) [Compare Source](https://redirect.github.com/pallets/jinja/compare/3.1.5...3.1.6) Released 2025-03-05 - The `|attr` filter does not bypass the environment's attribute lookup, allowing the sandbox to apply its checks. :ghsa:`cpwx-vrp4-4pq7` </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - "every weekday" (UTC). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xOS4wIiwidXBkYXRlZEluVmVyIjoiMzkuMTkuMCIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiLCJpbXBhY3Qvbm8tY2hhbmdlbG9nLXJlcXVpcmVkIl19--> Co-authored-by: pulumi-renovate[bot] <189166143+pulumi-renovate[bot]@users.noreply.github.com>
1 parent 7083f14 commit 10730fd

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

aws-ts-stackreference-architecture/application/src/backend/requirements.txt

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@ Click==8.1.8
22
dnspython==2.7.0
33
Flask==3.1.0
44
itsdangerous==2.2.0
5-
Jinja2==3.1.5
5+
Jinja2==3.1.6
66
MarkupSafe>=1.0
77
Werkzeug==3.1.3
88
requests==2.32.3

0 commit comments

Comments
 (0)