Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade Jinja2 dependency version specification to address CVE-2024-22195 #55

Merged
merged 2 commits into from
Mar 20, 2024
Merged

Upgrade Jinja2 dependency version specification to address CVE-2024-22195 #55

merged 2 commits into from
Mar 20, 2024

Conversation

QMalcolm
Copy link
Contributor

CVE-2024-22195 identified an issue in Jinja2 versions <= 3.1.2. To move this project off of Jinja2==3.1.2, we had to upgrade to the latest version of dbt-core (1.7.9) or greater. Doing so required us to also upgrade the dbt-duckdb version.

@QMalcolm
Update requirements.in to operate on dbt-core 1.7
bc1f7f2 
We wanted to move this project to the latest dbt-core version to ensure
it operates on a version of dbt-core that has addressed the security
issue (CVE-2024-22195) with Jinja2. By association we also had to upgrade
the version of dbt-duckdb being used. Tangentially we also upgraded the
version of sqlfluff.
@QMalcolm
Regenerate requirements.txt to use dbt-core 1.7 and related depende…
479a5d5 
…ncies

The `requirements.txt` was regenerated by first deleting the existing
`requirements.txt` and then running `$ pip-compile`.
@QMalcolm QMalcolm requested a review from dbeatty10 March 11, 2024 19:15
@QMalcolm QMalcolm mentioned this pull request Mar 11, 2024
Closed
QMalcolm
QMalcolm commented Mar 11, 2024
View reviewed changes
requirements.txt
iniconfig==2.0.0
# via pytest
isodate==0.6.1
# via
# agate
# dbt-core
jinja2==3.1.2
jinja2==3.1.3
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the line we care the most about 🙂

@QMalcolm QMalcolm merged commit 9b13827 into duckdb Mar 20, 2024
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gshank gshank gshank approved these changes

@dbeatty10 dbeatty10 Awaiting requested review from dbeatty10

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@QMalcolm @gshank