Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade Jinja2 dependency version specification to address CVE-2024-22195 #54

Closed
wants to merge 1 commit into from
Closed

Upgrade Jinja2 dependency version specification to address CVE-2024-22195 #54

wants to merge 1 commit into from

Conversation

QMalcolm
Copy link
Contributor

CVE-2024-22195 identified an issue in Jinja2 versions <= 3.1.2. As such we've gone and changed oure dependency requirement specification to be 3.1.3.

@QMalcolm
Copy link
Contributor Author

Looks like we need to patch core before being able to merge this. Relevant PR dbt-labs/dbt-core#9638

@QMalcolm
Copy link
Contributor Author

Currently we pin to dbt-core 1.5.0, which is pinned to jinja2 3.1.2. Tomorrow we plan to release a patch release for dbt-core 1.5 (1.5.10) which updates the jinja2 dependency. At which point we can regenerate the requirements.txt file with dbt-core 1.5.10 (or perhaps something more recent like 1.7.9?)

@QMalcolm
Regenerate requirements.txt with dependendencies for dbt-duckdb 1.7.3
761f5d5 
To do this I first installed dbt-duckdb 1.7.3 via `pip install `dbt-duckdb==1.7.3`.
Then I ran `pip freeze > requirements.txt` to overwrite the requirements file.
We did this to 1) upgrade to dbt-core 1.7 and 2) to get off of jinja2 3.1.2 which
had a security vulnerability (CVE-2024-2219).
@QMalcolm QMalcolm force-pushed the qmalcolm--CVE-2024-22195-exclude-Jinja2-3.1.2 branch from 1e0dbbf to 761f5d5 Compare March 7, 2024 21:23
@QMalcolm
Copy link
Contributor Author

closing in favor of #55

@QMalcolm QMalcolm closed this Mar 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@emmyoop emmyoop emmyoop approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@QMalcolm @emmyoop