[Snyk] Security upgrade jinja2 from 2.11.3 to 3.1.3 #150
+1
−1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-JINJA2-6150717
Infracost report💰 Monthly cost will not changeThis comment will be updated when code changes. |
❌ Plan Failed |
billmetangmo
added a commit
that referenced
this pull request
Sep 11, 2024
The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-JINJA2-6150717 Co-authored-by: snyk-bot <[email protected]>
billmetangmo
added a commit
that referenced
this pull request
Sep 19, 2024
* Update README.md * Update README.md * remove stopWords * add demo task * parametrise les urls du consulat * better subject notification * added demo feature * updated doc * removed pycache file * undo config * Updated mail format * Send user registration mail without CLI * Update notify.py * Update README.md * Update notify.py * Update README.md * Added deployment scripts and updated code accordignly * Update README.md * Update README.md * Updated github project link * Update README.md * Update README.md * Update README.md * Create LICENSE * Added audience measure * Added design picture to readme * Updated API URL from manual to automatic Before the change, it was needed to copy/paste API URL inside demo/index html files. Now it's done automatically through terraform. * Updated doc with SSL guidelines * architecture done * architecture done * Updated url to add /register and avoid 40X error * Updated doc related to cloudfront with cache invalidation Currently, the cache duration is the default one so 1 day . This means that an index.html modification will only be viewable after this amount of time. With the modification,it's served from origin directly * Updated doc with free domain name for easy test * Added a simple end-to-end test with uirecord (alibaba) * Update README.md * Update README.md * updated index page due to repository change * Update README.md * removed bucket redirection the redirect bucket tfstate is moved on official website tfstate project. * migrated from local to remote state * decrease dynamoDB r/w units from 5 to 1 per table * Updated contact from gitreports to mtchoun-mouh mailing list * updated terraform and hashicorp/aws plugin * Removed html files upload from terraform To avoid issue like hashicorp/terraform-provider-aws#9579 * Removed all mentions of contact_url as maintainer_mail used instead * Added requirements.txt for lambda functions Useful for security scan by dependabots. Fixes #36 * Updated SES Region to eu-central-1 where verified mailing list resided Fixes #32 * Updated SES Region to eu-central-1 where verified mailing list resided Fixes #32 * Moved from Google Analytics to Matomo Fixes #31 * Bump urllib3 from 1.25.10 to 1.26.5 in /api Bumps [urllib3](https://github.com/urllib3/urllib3) from 1.25.10 to 1.26.5. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](urllib3/urllib3@1.25.10...1.26.5) --- updated-dependencies: - dependency-name: urllib3 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]> * Added date label to issues * updated index page template with matomo * updated urllib lambda package for security * Bump jinja2 from 2.11.2 to 2.11.3 Bumps [jinja2](https://github.com/pallets/jinja) from 2.11.2 to 2.11.3. - [Release notes](https://github.com/pallets/jinja/releases) - [Changelog](https://github.com/pallets/jinja/blob/main/CHANGES.rst) - [Commits](pallets/jinja@2.11.2...2.11.3) --- updated-dependencies: - dependency-name: jinja2 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]> * Added automation percentage with drift. Fixes #24 * Updated requests due to urllib3 security updates. * Added CHANGELOG * Added terraform pre-commit validation Fixes #7 * Added organic referencing notes Fixes #15 * Updated doc with matomo Fixes #38 * Updated pre-commit exclude files * Updated README.md * Added secret-detection on CI Fixes #43 * Added precommit option for black python formatting * test * Update workflows.yml * Create requirements.txt * Update requirements.txt * Update workflows.yml * Removed DynamoDB Locks The lock is not suppported per workspace but for all workspaces together. So using it make fail the workspace beacuse it wants to create a new lock table. * Removed terraform-state bucket When using another workspace , terraform failed trying to create the same bucket. * Added a way to deploy environment on need for PR (#59) * Update code with terraform workspace indexation * Update lambda.zip * Update workspace.yml * Revert tfstate remote instead of local * Added act to run github action locally * Add Copy Site files to workflow * Added output url * Added tf destroy on close MR * Update gitignore with index.html + lambda.zip If not these files when merge will erase files from prod. * Updated merge_pr.yml * Updated test * Added force_destroy to delete non empty bucket Co-authored-by: Patrick Djiela <[email protected]> * Updated html files due to destroy issue * Updated workflow for main deployment * Updated python package * Clean the source code * added terraform constraint validation on variables Fixes #56 * fix CI issues about domain name * Unit test -> extract and notify updated CI test with unitests Co-authored-by: fabiolatagne97 <[email protected]> * test workflow only on pull request * test workflow only on pull request * added gitpod * updated gitignore * updated terraform var to capital * added gitpod url to README * updated terraform var to capital * deploy project only if modifications on specific paths * Updated python unit tests version from 3.8 to 3.10 * Enable DynamoTable PITR * Updated README with unit tests commands * add coverage * Updated coverage.svg * docs: update README.md [skip ci] * docs: create .all-contributorsrc [skip ci] * added coverage icon * fix coverage image location * Updated pre-commit with detect-secrets * Added function doc using mintlify writer * Updated coverage.svg * updated layout by regrouping all infra files in a folder * Fixed template folder not found * Fixed api directory not found * Automated event issues to project board ( /mongulu-cm/lobembe#36 ) * Switched documentation from French to English * feat(commit): add commitlint as commit message standard ( /mongulu-cm/lobembe#21 ) * ci(commit): add commitlint as commit message standard ( /mongulu-cm/lobembe#21 * docs(commit): add commitzen badge in README ( /mongulu-cm/lobembe#21 ) * chore(code-review): add aws codeguru as code reviewer * fix(gitpod): persist packages between workplace restart (/mongulu-cm/lobembe#40) By re-installing them if they don't exis * style(commit): disable body-max-length (/mongulu-cm/lobembe#39) * fix(gitpod): add .envrc to allow source AWS config for each shell * docs: update README.md * chore: update gitignore with terraform lock file * ci: update test trigger from pull_request to push We previously set it to pull_request with the assumption that people working locally and then when pull_request. This will create a new env and the reviewer can use it. However most newbies aren't devops afficionados so be able when they create a new branch, deploying the infra would just be pushing the branch and then they can work. In addition, this also allow to check the deployed vesion befor merging. * refactor: avoid duplication for deploy to prod and others env * docs: update README.md [skip ci] * docs: update .all-contributorsrc [skip ci] * fix(pre-commit): rev not present for detect-secrets * test: add useful tests files during development * comment * no precommit * add the TODOs * refactor: dynamodb pitr only in prod (( /mongulu-cm/lobembe#47) Closes /mongulu-cm/lobembe#47 * ci: use ratchet to pin docker images (/mongulu-cm/lobembe#41) * add name and email in confirmation modal * ci(deploy): fix paths to support infra * errors_tab * test: lambda user images * feat: add zulip * ci(deploy): use oidc to connect to AWS instead of hard credentials (/mongulu-cm/lobembe#44) * feat: send message on zulip * feat:update final error messages notification * feat(monitoring): add sentry for error reporting (#64) * ci(deploy): fix close_job action which hangs waiting for SENTRY_DNS * feat:solving unitest errors * feat: add api key secret * feat: update main.tf with api key * Update main.tf * feat:delete urllib3 * feat: new update on main.tf * feat: update vars.tf with api key var * ci(deploy): fix close_job action which fails due to AWS creds missing * test(coverage-badge): fix svg gen due to missing API_KEY (#34) Closes #34 * refactor(tests): move all tests file into a folder * chore(deps): bump certifi from 2020.6.20 to 2022.12.7 in /api (#91) Bumps [certifi](https://github.com/certifi/python-certifi) from 2020.6.20 to 2022.12.7. - [Release notes](https://github.com/certifi/python-certifi/releases) - [Commits](certifi/python-certifi@2020.06.20...2022.12.07) --- updated-dependencies: - dependency-name: certifi dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci(tests): add tag for finops (#44) * ci(tests): add infracost for cost estimation on PR (#44) Closes #44 * ci(tests): add tf-cmt to post terraform result to PR comments (#44) Closes #44 * ci(deploy): fix close_job action which fails due to API_KEY missing * Revert "refactor(tests): move all tests file into a folder" This reverts commit c137390. * refactor: use secretsfoundry to manage .env securely * Update vars.tf feat: send email * Update vars.tf * Update notify.py * feat: send mail * Update notify.py * feat(registration_mail):read mail directly from .html file inside the project * Create mtchoun-mouhregistration.html * feat(registration_mail):"just de start deploy pipeline" * Update notify.py * Update main.tf * refactor: updated mail template (#61) Closes #61 * ci(deploy): fix pipeline not started if python file modified (#97) closes #97 * refactor: remove name form pre-header (#97) closes #97 * Updated coverage.svg * fix: replace matomo.simplehosting.me by our self-hosted instance * fix: remove export to allow secretsfoundry to support all .env vars * feat: add tag manager to monitor form submission * fix: use an explicit environment for sentry (#98) * test: add readiness healthy checkup (#67) closes #67 --------- Co-authored-by: Bill Metangmo <[email protected]> * fix: website_url was empty if branch is master * fix: demo page is not maintained (#107) closes #107 * refactor: remove all demo page mentions * Create dependabot.yml all the package * Update dependabot.yml add daily * fix: accurately measure time spent on each page https://developer.matomo.org/guides/tracking-javascript-guide#accurately-measure-the-time-spent-on-each-page * ci: check liveness after site deployment (#90) Closes #90 * fix: updated REGISTRATION_TABLE to REGISTERS_TABLE * fix: add commitizen + aws * Switch to terraform cloud (#55) * fix: Update to use tfc workspace with cli * fix: update to use tfc workspace with cli * fix: update action config * fix: terraform entreprise token missing * fix: terraform entreprise token missing * fix: allow tf variables reading * fix: allow s3 bucket public access * fix: allow s3 bucket public access * fix: Error putting S3 policy: AccessDenied: Access Denied * fix: remote s3 bucket copy error * fix: missing index.html on bucket * fix: remote s3 bucket copy error * fix: python unittests and e2e * ci: remove unecessary files --------- Co-authored-by: pdjiela <[email protected]> Co-authored-by: billmetangmo<[email protected]> * ci: fix add coverage-badge * fix: selected workspace don't exist * fix: all tf variables are in TFC now * fix: website copy for non master * ci: update close_pr due to passage to TFC * fix: handle http errors properly (#116) * fix: gitpod apt update hangs * fix: 403 http error consulcam website (#116) * chore(deps): bump sentry-sdk from 1.11.1 to 1.14.0 in /infra/api Bumps [sentry-sdk](https://github.com/getsentry/sentry-python) from 1.11.1 to 1.14.0. - [Release notes](https://github.com/getsentry/sentry-python/releases) - [Changelog](https://github.com/getsentry/sentry-python/blob/master/CHANGELOG.md) - [Commits](getsentry/sentry-python@1.11.1...1.14.0) --- updated-dependencies: - dependency-name: sentry-sdk dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]> * chore(deps): bump requests from 2.25.1 to 2.31.0 in /infra/api Bumps [requests](https://github.com/psf/requests) from 2.25.1 to 2.31.0. - [Release notes](https://github.com/psf/requests/releases) - [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md) - [Commits](psf/requests@v2.25.1...v2.31.0) --- updated-dependencies: - dependency-name: requests dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]> * fix: 403 http error consulcam website (#126) issue caused by activation of cpanel badbots rule * feat: allow to deploy lambda func locally (#96) * fix: allow automatic installation * fix : add docstring * docs : add cody on gitpod (/mongulu-cm/lobembe#59) * docs: add aws toolkit plugin * feat(#71): Use lambda layers to delete api/package directory Closes #71 * chore: clean unused files * ci: fix deployment on master when tf file modified * chore: clean terraform files * fix: requirements.txt to reduce vulnerabilities (#162) The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-CERTIFI-3164749 - https://snyk.io/vuln/SNYK-PYTHON-CERTIFI-5805047 - https://snyk.io/vuln/SNYK-PYTHON-REQUESTS-5595532 Co-authored-by: snyk-bot <[email protected]> * fix: requirements.txt to reduce vulnerabilities (#150) The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-JINJA2-6150717 Co-authored-by: snyk-bot <[email protected]> * fix: requirements.txt to reduce vulnerabilities (#177) The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-DETECTSECRETS-7361839 Co-authored-by: snyk-bot <[email protected]> * fix: requirements.txt to reduce vulnerabilities (#170) The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-REQUESTS-6928867 Co-authored-by: snyk-bot <[email protected]> * fix: requirements.txt to reduce vulnerabilities (#179) The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-JINJA2-6809379 - https://snyk.io/vuln/SNYK-PYTHON-REQUESTS-6928867 - https://snyk.io/vuln/SNYK-PYTHON-SELENIUM-6062316 - https://snyk.io/vuln/SNYK-PYTHON-URLLIB3-7267250 - https://snyk.io/vuln/SNYK-PYTHON-WERKZEUG-6035177 - https://snyk.io/vuln/SNYK-PYTHON-WERKZEUG-6808933 Co-authored-by: snyk-bot <[email protected]> * ci: update python tests * ci: fix python test triggers only on python modifications * fix: 11:30:03.000 ProvisionedThroughputExceededException Due to branch environments scanned at same time than prod * fix: code don't raise locally on error We needed to check on sentry which can be cumbersome * refactor(#106): use textractor to simplify code * Updated coverage.svg * ci: fix invalid workflow * fix: scan lambda issue due to count * fix: make lambda layer * fix: provisionedthroughputexceededException dynamodb links table (#189) * feat: add demo again * fix: UnidentifiedImageError * Updated coverage.svg --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: fabiolatagne97 <[email protected]> Co-authored-by: fabiolatagne97 <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Flomin TCHAWE <[email protected]> Co-authored-by: Flomin TCHAWE <[email protected]> Co-authored-by: pdjiela <[email protected]> Co-authored-by: Patrick Djiela <[email protected]> Co-authored-by: pdjiela <[email protected]> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: allcontributors[bot] <46447321+allcontributors[bot]@users.noreply.github.com> Co-authored-by: Joyce-Tchamdjou <[email protected]> Co-authored-by: Tchepga <[email protected]> Co-authored-by: tsafacjo <[email protected]> Co-authored-by: Joyce-Tchamdjou <[email protected]> Co-authored-by: ngnnpgn <[email protected]> Co-authored-by: Joalia <[email protected]> Co-authored-by: snyk-bot <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to fix one or more vulnerable packages in the `pip` dependencies of this project.
Changes included in this PR
Vulnerabilities that will be fixed
By pinning:
Why? Recently disclosed, Has a fix available, CVSS 5.4
SNYK-PYTHON-JINJA2-6150717
jinja2:2.11.3 -> 3.1.3(*) Note that the real score may have changed since the PR was raised.
Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.
Check the changes in this PR to ensure they won't cause issues with your project.
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
🛠 Adjust project settings
📚 Read more about Snyk's upgrade and patch logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Cross-site Scripting (XSS)