Upgrade Jinja to 3.1.6 #2214
Upgrade Jinja to 3.1.6 #2214
Conversation
aidenfoxivey
requested review from
alexrow,
baentsch,
bhess and
praveksharma
as code owners
|
Thank you for getting to this @aidenfoxivey! I ran a cursory search on requirements.txt/requirements.in and found that pip-compile (from pip-tools) translates the handwritten requirements.in to a version pinned requirements.txt. I am not certain that is the workflow that was user prior to this PR but as I understand it, the workflow in this PR is certainly different. Could you please explain the workflow for how a user would update a dependency once this PR is merged?
Does this mean you're using nix to manage python dependencies instead of pip-tools? Also, although |
|
I believe that when updating the requirements for SLH DSA I took the following steps (in addition to updating the files Pravek mentioned): -Added the name of the pip requirement to .github/workflows/requirements.in -Ran the command "pip-compile --generate-hashes --output-file=requirements.txt requirements.inpip-compile --generate-hashes --output-file=requirements.txt requirements.in" to populate .github/workflows/requirements.txt -Then add the following line in the CI containers repo like so |
A user can run
Sorry, I was vague here. I mean that there is a lock file and a requirement file. The lock file is just "liboqs at commit My perspective is that unless the workflow depends on a specific version of a python package, the If you do pin |
|
Thanks for the explanation @aidenfoxivey, I think looks good to go if you're certain this the only place Jinja needs updating. |
From what I can tell this is the only use of Jinja in the repo! |
| # pip-compile | ||
| # | ||
| attrs==20.3.0 \ | ||
| --hash=sha256:31b2eced602aa8423c2aea9c76a724617ed67cf9513173fd3a4f03e3a929c7e6 \ |
There was a problem hiding this comment.
I think it is good practice to have the hashes of the packages here to reduce the risk of supply chain attacks.
There was a problem hiding this comment.
good call - I just fixed it!
As per GHSA-cpwx-vrp4-4pq7 use of Jinja 3.1.5 has a vulnerability. It's probably not an incredible problem, but it would be best to upgrade these packages to stay updated with bugfixes. This follows the Nix flake model where the inputs are not pinned explicitly, so 'updating' them will actually increment their versions. Signed-off-by: Aiden Fox Ivey <[email protected]>
| # pip-compile | ||
| # | ||
| attrs==20.3.0 \ | ||
| --hash=sha256:31b2eced602aa8423c2aea9c76a724617ed67cf9513173fd3a4f03e3a929c7e6 \ |
There was a problem hiding this comment.
good call - I just fixed it!
|
@aidenfoxivey We now have some merge conflicts here, are you able to resolve? |
Signed-off-by: Aiden Fox Ivey <[email protected]>
Signed-off-by: Aiden Fox Ivey <[email protected]>
Should be fixed. |
* Upgrade Jinja to 3.1.6 As per GHSA-cpwx-vrp4-4pq7 use of Jinja 3.1.5 has a vulnerability. It's probably not an incredible problem, but it would be best to upgrade these packages to stay updated with bugfixes. This follows the Nix flake model where the inputs are not pinned explicitly, so 'updating' them will actually increment their versions. Signed-off-by: Aiden Fox Ivey <[email protected]> * Fixed requirements merge conflict Signed-off-by: Aiden Fox Ivey <[email protected]> --------- Signed-off-by: Aiden Fox Ivey <[email protected]>
5 participants
As per
GHSA-cpwx-vrp4-4pq7 use of Jinja 3.1.5 has a vulnerability. It's probably not an incredible problem, but it would be best to upgrade these packages to stay updated with bugfixes.
This follows the Nix flake model where the inputs are not pinned explicitly, so 'updating' them will actually increment their versions.