From 0f189bc225b57682ff816aef21262de905720e16 Mon Sep 17 00:00:00 2001
From: Quigley Malcolm <QMalcolm@users.noreply.github.com>
Date: Fri, 23 Feb 2024 09:13:51 -0800
Subject: [PATCH] Upgrade Jinja2 dependency version specification to address
 CVE-2024-22195 (#9638)

CVE-2024-22195 identified an issue in Jinja2 versions <= 3.1.2. As such
we've gone and changed our dependency requirement specification to be
3.1.3 or greater (but less than 4).

Note: Preivously we were using the `~=` version specifier. However due
to some issues with the `~=` we've moved to using `>=` in combination
with `<`. This gives us the same range that `~=` gave us, but avoids
a pip resolution issue when multiple packages in an environment use `~=`
for the same dependency.
---
 .changes/unreleased/Security-20240222-152445.yaml | 6 ++++++
 core/setup.py                                     | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)
 create mode 100644 .changes/unreleased/Security-20240222-152445.yaml

diff --git a/.changes/unreleased/Security-20240222-152445.yaml b/.changes/unreleased/Security-20240222-152445.yaml
new file mode 100644
index 00000000000..5c92c452ab0
--- /dev/null
+++ b/.changes/unreleased/Security-20240222-152445.yaml
@@ -0,0 +1,6 @@
+kind: Security
+body: Update Jinja2 to >= 3.1.3 to address CVE-2024-22195
+time: 2024-02-22T15:24:45.158305-08:00
+custom:
+  Author: QMalcolm
+  PR: CVE-2024-22195
diff --git a/core/setup.py b/core/setup.py
index 9ab55d39be1..7fff5dfcab0 100644
--- a/core/setup.py
+++ b/core/setup.py
@@ -46,7 +46,7 @@
         "console_scripts": ["dbt = dbt.cli.main:cli"],
     },
     install_requires=[
-        "Jinja2==3.1.2",
+        "Jinja2>=3.1.3,<4",
         "agate>=1.6,<1.7.1",
         # temporarily pinning click for mypy failures: https://github.com/pallets/click/issues/2558
         "click<9",