Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Restricting jinja2 < 3.0 creates dependabot security alert #2517

Closed
soininen opened this issue Jan 24, 2024 · 3 comments
Closed

Restricting jinja2 < 3.0 creates dependabot security alert #2517

soininen opened this issue Jan 24, 2024 · 3 comments
Assignees
Labels
bug Something isn't working

Comments

@soininen
Copy link
Contributor

There is apparently a vulnerability in jinja2 < 3.1.3 which triggers a security alert when pushing to Spine-Database-API, spine-engine and Spine-Toolbox repositories because their requirements.txt files restrict jinja2 < 3.0 with a comment stating that the restriction comes from Dagster

We should just remove the restriction from Spine-Database-API because it does not depend on Dagster in any way.

I am not sure what to do with Spine-Engine, though. Perhaps we need to try to upgrade to latest Dagster?

@soininen soininen added the bug Something isn't working label Jan 24, 2024
@soininen soininen self-assigned this Jan 24, 2024
@ptsavol
Copy link
Member

ptsavol commented Jan 24, 2024

The jinja2 requirement is in spinedb_api/docs/requirements.txt and it was added there so that the spinedb-api docs requirements would install the same version of Sphinx as spinetoolbox/docs/requirements.txt. If we don't do that, there is a dependency conflict (there is an older issue on this). I don't know how to deal with the security alert though. Do a lot of people actually install the docs requirements using the spinedb-api/docs/requirements.txt. Maybe we should remove it and point them to the spinetoolbox/docs/requirements.txt instead.

@soininen
Copy link
Contributor Author

soininen commented Jan 26, 2024

Thanks @PekkaSavolainen for the insightful comment! I did not realize the dependency comes from build_docs.

@soininen
Copy link
Contributor Author

Thanks to ditching Dagster and updating our dependencies, all Dependabot security alerts in all four repositories are gone.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants