[Backport 1.5.latest] Upgrade Jinja2 dependency version specification…

… to address CVE-2024-22195 (#9670) * Upgrade Jinja2 dependency version specification to address CVE-2024-22195 (#9638) CVE-2024-22195 identified an issue in Jinja2 versions <= 3.1.2. As such we've gone and changed our dependency requirement specification to be 3.1.3 or greater (but less than 4). Note: Preivously we were using the `~=` version specifier. However due to some issues with the `~=` we've moved to using `>=` in combination with `<`. This gives us the same range that `~=` gave us, but avoids a pip resolution issue when multiple packages in an environment use `~=` for the same dependency.
dbt-labs · Feb 26, 2024 · b2270fa · b2270fa
1 parent dc3e667
commit b2270fa
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/.changes/unreleased/Security-20240222-152445.yaml b/.changes/unreleased/Security-20240222-152445.yaml
@@ -0,0 +1,6 @@
+kind: Security
+body: Update Jinja2 to >= 3.1.3 to address CVE-2024-22195
+time: 2024-02-22T15:24:45.158305-08:00
+custom:
+  Author: QMalcolm
+  PR: CVE-2024-22195
diff --git a/core/setup.py b/core/setup.py
@@ -46,7 +46,7 @@
         "console_scripts": ["dbt = dbt.cli.main:cli"],
     },
     install_requires=[
-        "Jinja2==3.1.2",
+        "Jinja2>=3.1.3,<4",
         "agate>=1.6,<1.7.1",
         # temporarily pinning click for mypy failures: https://github.com/pallets/click/issues/2558
         "click<9",