Upgrade Jinja2 dependency version specification to address CVE-2024-2…

…2195 (#9638) (#9655) CVE-2024-22195 identified an issue in Jinja2 versions <= 3.1.2. As such we've gone and changed our dependency requirement specification to be 3.1.3 or greater (but less than 4). Note: Preivously we were using the `~=` version specifier. However due to some issues with the `~=` we've moved to using `>=` in combination with `<`. This gives us the same range that `~=` gave us, but avoids a pip resolution issue when multiple packages in an environment use `~=` for the same dependency. (cherry picked from commit 7ea4670) Co-authored-by: Quigley Malcolm <[email protected]>
dbt-labs · Feb 26, 2024 · 0a6d0c1 · 0a6d0c1
1 parent 708e07e
commit 0a6d0c1
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/.changes/unreleased/Security-20240222-152445.yaml b/.changes/unreleased/Security-20240222-152445.yaml
@@ -0,0 +1,6 @@
+kind: Security
+body: Update Jinja2 to >= 3.1.3 to address CVE-2024-22195
+time: 2024-02-22T15:24:45.158305-08:00
+custom:
+  Author: QMalcolm
+  PR: CVE-2024-22195
diff --git a/core/setup.py b/core/setup.py
@@ -50,7 +50,7 @@
         # dbt-core uses these packages deeply, throughout the codebase, and there have been breaking changes in past patch releases (even though these are major-version-one).
         # Pin to the patch or minor version, and bump in each new minor version of dbt-core.
         "agate~=1.7.0",
-        "Jinja2~=3.1.2",
+        "Jinja2>=3.1.3,<4",
         "mashumaro[msgpack]~=3.9",
         # ----
         # Legacy: This package has not been updated since 2019, and it is unused in dbt's logging system (since v1.0)