Releases: pallets/jinja
3.1.4
This is the Jinja 3.1.4 security release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes.
PyPI: https://pypi.org/project/Jinja2/3.1.4/
Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-4
- The
xmlattr
filter does not allow keys with/
solidus,>
greater-than sign, or=
equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. GHSA-h75v-3vvj-5mfj
3.1.3
This is a fix release for the 3.1.x feature branch.
- Fix for GHSA-h5c8-rqwp-cp95. You are affected if you are using
xmlattr
and passing user input as attribute keys. - Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-3
- Milestone: https://github.com/pallets/jinja/milestone/15?closed=1
3.1.2
This is a fix release for the 3.1.0 feature release.
3.1.1
3.1.0
This is a feature release, which includes new features and removes previously deprecated features. The 3.1.x branch is now the supported bugfix branch, the 3.0.x branch has become a tag marking the end of support for that branch. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades. We also encourage upgrading to MarkupSafe 2.1.1, the latest version at this time.
3.0.3
3.0.2
3.0.1
3.0.0
New major versions of all the core Pallets libraries, including Jinja 3.0, have been released! 🎉
- Read the announcement on our blog: https://palletsprojects.com/blog/flask-2-0-released/
- Read the full list of changes: https://jinja.palletsprojects.com/changes/#version-3-0-0
- Retweet the announcement on Twitter: https://twitter.com/PalletsTeam/status/1392266507296514048
- Follow our blog, Twitter, or GitHub to see future announcements.
This represents a significant amount of work, and there are quite a few changes. Be sure to carefully read the changelog, and use tools such as pip-compile and Dependabot to pin your dependencies and control your updates.