Bump jinja2 from 2.10 to 3.1.6 in /tools/code_coverage #740

dependabot · 2025-03-07T00:45:45Z

Bumps jinja2 from 2.10 to 3.1.6.

Release notes

3.1.6

This is the Jinja 3.1.6 security release, which fixes security issues but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Jinja2/3.1.6/ Changes: https://jinja.palletsprojects.com/en/stable/changes/#version-3-1-6

The |attr filter does not bypass the environment's attribute lookup, allowing the sandbox to apply its checks. GHSA-cpwx-vrp4-4pq7

3.1.5

This is the Jinja 3.1.5 security fix release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Jinja2/3.1.5/ Changes: https://jinja.palletsprojects.com/changes/#version-3-1-5 Milestone: https://github.com/pallets/jinja/milestone/16?closed=1

The sandboxed environment handles indirect calls to str.format, such as by passing a stored reference to a filter that calls its argument. GHSA-q2x7-8rv6-6q7h

Escape template name before formatting it into error messages, to avoid issues with names that contain f-string syntax. #1792, GHSA-gmj6-6f8f-6699

Sandbox does not allow clear and pop on known mutable sequence types. #2032

Calling sync render for an async template uses asyncio.run. #1952

Avoid unclosed auto_aiter warnings. #1960

Return an aclose-able AsyncGenerator from Template.generate_async. #1960

Avoid leaving root_render_func() unclosed in Template.generate_async. #1960

Avoid leaving async generators unclosed in blocks, includes and extends. #1960

The runtime uses the correct concat function for the current environment when calling block references. #1701

Make |unique async-aware, allowing it to be used after another async-aware filter. #1781

|int filter handles OverflowError from scientific notation. #1921

Make compiling deterministic for tuple unpacking in a {% set ... %} call. #2021

Fix dunder protocol (copy/pickle/etc) interaction with Undefined objects. #2025

Fix copy/pickle support for the internal missing object. #2027

Environment.overlay(enable_async) is applied correctly. #2061

The error message from FileSystemLoader includes the paths that were searched. #1661

PackageLoader shows a clearer error message when the package does not contain the templates directory. #1705

Improve annotations for methods returning copies. #1880

urlize does not add mailto: to values like @a@b. #1870

Tests decorated with @pass_context can be used with the |select filter. #1624

Using set for multiple assignment (a, b = 1, 2) does not fail when the target is a namespace attribute. #1413

Using set in all branches of {% if %}{% elif %}{% else %} blocks does not cause the variable to be considered initially undefined. #1253

3.1.4

This is the Jinja 3.1.4 security release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/Jinja2/3.1.4/ Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-4

The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. GHSA-h75v-3vvj-5mfj

3.1.3

This is a fix release for the 3.1.x feature branch.

Fix for GHSA-h5c8-rqwp-cp95. You are affected if you are using xmlattr and passing user input as attribute keys.

... (truncated)

Changelog

Sourced from jinja2's changelog.

Version 3.1.6

Released 2025-03-05

The |attr filter does not bypass the environment's attribute lookup, allowing the sandbox to apply its checks. :ghsa:cpwx-vrp4-4pq7

Version 3.1.5

Released 2024-12-21

The sandboxed environment handles indirect calls to str.format, such as by passing a stored reference to a filter that calls its argument. :ghsa:q2x7-8rv6-6q7h

Escape template name before formatting it into error messages, to avoid issues with names that contain f-string syntax. :issue:1792, :ghsa:gmj6-6f8f-6699

Sandbox does not allow clear and pop on known mutable sequence types. :issue:2032

Calling sync render for an async template uses asyncio.run. :pr:1952

Avoid unclosed auto_aiter warnings. :pr:1960

Return an aclose-able AsyncGenerator from Template.generate_async. :pr:1960

Avoid leaving root_render_func() unclosed in Template.generate_async. :pr:1960

Avoid leaving async generators unclosed in blocks, includes and extends. :pr:1960

The runtime uses the correct concat function for the current environment when calling block references. :issue:1701

Make |unique async-aware, allowing it to be used after another async-aware filter. :issue:1781

|int filter handles OverflowError from scientific notation. :issue:1921

Make compiling deterministic for tuple unpacking in a {% set ... %} call. :issue:2021

Fix dunder protocol (copy/pickle/etc) interaction with Undefined objects. :issue:2025

Fix copy/pickle support for the internal missing object. :issue:2027

Environment.overlay(enable_async) is applied correctly. :pr:2061

The error message from FileSystemLoader includes the paths that were searched. :issue:1661

PackageLoader shows a clearer error message when the package does not contain the templates directory. :issue:1705

Improve annotations for methods returning copies. :pr:1880

urlize does not add mailto: to values like @a@b. :pr:1870

... (truncated)

Commits

1520688 release version 3.1.6
90457bb Merge commit from fork
065334d attr filter uses env.getattr
033c200 start version 3.1.6
bc68d4e use global contributing guide (#2070)
247de5e use global contributing guide
ab8218c use project advisory link instead of global
b4ffc8f release version 3.1.5 (#2066)
877f6e5 release version 3.1.5
8d58859 remove test pypi
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.

* Calculate test targets based on git changes b/382508397 * Add missing shell declaration * Use correct base ref sha, do not append sources arg if no changed files * Only calculate test targets when testing is enabled * Refine test conditionals * Handle more cases Consider entire tree if no sources were provided or no targets found. * Filter out more targets * Enable base_perftests * Default to empty list of no targets found in BUILD.gn path * Fix how test targets are passed in workflow * Remove debug build * Handle changes to gni files * Skip build step if no test targets were found * Add back copying of test_target.json to out folder * Output targets in json array from build step ...instead of cat-ing the file everywhere. * The test_targets file is already in the out folder * Simplify base_dir logic since it is always present * Re-order initialize steps to match outputs section * Separate depot tools log from build log ...by moving it to a separate action * Add step outcome check before parsing json * Remove always condition from on-host tests * Add test target allowlist * Add print device logs step * Polish of comments and split lines * REVERT: Fake starboard change * Only upload test artifacts if tests were built * Use test target count to determine whether or not to run tests * Add couple of comments * Add check for count of tests in validate results step * Add log symbolization * Enable debug print and glob options * Cd to src before invoking symbolizer script * Paths are fun * Add test filters * REVERT: Disable sources arg to get all test targets * Try to fix path again * Do not parse json unless there is json * Break out logs printing to composite action * Pass symbol files through to print log step * Fix param to upload-action * Allow filtering of entire targets in json * Reorganize is_test_target to make code clearer * Add all the filters (maybe) * Fix if condition for odt job * Replace step reference with input * Attempt to fix symbolization command * Move cat to top of block * Add all the filters * Grep for failed tests in logs * Fix ODT if condition * Support skipping entire targets in results job * Skip on-device test runs where all tests are filtered * Some more filters * Fix grep * Disable symbolization * Some final filters * Move symbolized libs upload to upload artifacts action * Polish * Skip entire suit * Revert test changes * Strip lib path before copying * REVERT ME: Revert "Revert test changes" This reverts commit 4111fe3. * More symbolization finagling * One last filtered test * And for arm64 too * Revert "REVERT ME: Revert "Revert test changes"" This reverts commit fd89998. * Skip results job if both test jobs were skipped * Disable cobalt_unittests due to duplicate symbol issue * Always build test targets on devel config * Add debug prints to initialize step * Refactor handling of test_root_target in conditionals * Skip test artifact upload if no tests were built * Use fallback value if step was skipped * One last filtered test

Bumps [jinja2](https://github.com/pallets/jinja) from 2.10 to 3.1.6. - [Release notes](https://github.com/pallets/jinja/releases) - [Changelog](https://github.com/pallets/jinja/blob/main/CHANGES.rst) - [Commits](pallets/jinja@2.10...3.1.6) --- updated-dependencies: - dependency-name: jinja2 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>

oxve and others added 2 commits March 6, 2025 16:27

dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Mar 7, 2025

dependabot bot requested a review from a team as a code owner March 7, 2025 00:45

dependabot bot requested review from dahlstrom-g and removed request for a team March 7, 2025 00:45

oxve force-pushed the main branch from 313466a to f2d403a Compare March 7, 2025 03:31

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump jinja2 from 2.10 to 3.1.6 in /tools/code_coverage #740

Bump jinja2 from 2.10 to 3.1.6 in /tools/code_coverage #740

dependabot bot commented on behalf of github Mar 7, 2025

Bump jinja2 from 2.10 to 3.1.6 in /tools/code_coverage #740

Are you sure you want to change the base?

Bump jinja2 from 2.10 to 3.1.6 in /tools/code_coverage #740

Conversation

dependabot bot commented on behalf of github Mar 7, 2025

3.1.6

3.1.5

3.1.4

3.1.3

Version 3.1.6

Version 3.1.5