Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't update jinja2 - version hardcoded #3186

Closed
1 of 5 tasks
eugene-nikolaev opened this issue Mar 23, 2021 · 2 comments
Closed
1 of 5 tasks

Can't update jinja2 - version hardcoded #3186

eugene-nikolaev opened this issue Mar 23, 2021 · 2 comments
Labels
bug Something isn't working dependencies Changes to the version of dbt dependencies
Milestone
Margaret Mead

Comments

@eugene-nikolaev
Copy link

Hello!

Describe the bug

Tried to resolve a security alert:
GHSA-g3rq-g295-4j3m
But jinja2 version is harcoded here
https://github.com/fishtown-analytics/dbt/blob/77c10713a325d2bee91d1822951ce5d91ccc3278/core/setup.py#L62
So I was not able to bump up the version within my project.

Steps To Reproduce

  • I've just set this in Pipfile:
[packages]
jinja2 = ">=2.11.3"

Expected behavior

jinja2 to be upgraded

Screenshots and log output

not applicable

System information

Which database are you using dbt with?

  • postgres
  • redshift
  • bigquery
  • snowflake
  • other (specify: not relevant)

The output of dbt --version:

0.19.1-rc1

But basically it was merged in master in: 626f835
so not only

The operating system you're using:
MacOS

The output of python --version:
Python 3.7.7

Additional context

Add any other context about the problem here.
@eugene-nikolaev eugene-nikolaev added bug Something isn't working triage labels Mar 23, 2021
@jtcohen6 jtcohen6 added dependencies Changes to the version of dbt dependencies and removed triage labels Mar 23, 2021
@jtcohen6
Copy link
Contributor

Hey @eugene-nikolaev, dbt started tightly pinning Jinja2 because of a breaking change in a patch release last year (April 2020, see 626f835 in #2318).

Thanks for calling out the security advisory. We currently intend to bump the Jinja2 pin (#3077), along with all other pinned dependencies, before the next minor version of dbt.

@jtcohen6 jtcohen6 added this to the Margaret Mead milestone May 3, 2021
@jtcohen6 jtcohen6 mentioned this issue May 6, 2021
Closed
@jtcohen6
Copy link
Contributor

Resolved by #3077

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working dependencies Changes to the version of dbt dependencies
Projects
None yet
Milestone
Margaret Mead
Development

No branches or pull requests
2 participants
@eugene-nikolaev @jtcohen6