Releases: pallets/jinja
3.1.5
This is the Jinja 3.1.5 security fix release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.
PyPI: https://pypi.org/project/Jinja2/3.1.5/
Changes: https://jinja.palletsprojects.com/changes/#version-3-1-5
Milestone: https://github.com/pallets/jinja/milestone/16?closed=1
- The sandboxed environment handles indirect calls to
str.format
, such as by passing a stored reference to a filter that calls its argument. GHSA-q2x7-8rv6-6q7h - Escape template name before formatting it into error messages, to avoid issues with names that contain f-string syntax. #1792, GHSA-gmj6-6f8f-6699
- Sandbox does not allow
clear
andpop
on known mutable sequence types. #2032 - Calling sync
render
for an async template usesasyncio.run
. #1952 - Avoid unclosed
auto_aiter
warnings. #1960 - Return an
aclose
-ableAsyncGenerator
fromTemplate.generate_async
. #1960 - Avoid leaving
root_render_func()
unclosed inTemplate.generate_async
. #1960 - Avoid leaving async generators unclosed in blocks, includes and extends. #1960
- The runtime uses the correct
concat
function for the current environment when calling block references. #1701 - Make
|unique
async-aware, allowing it to be used after another async-aware filter. #1781 |int
filter handlesOverflowError
from scientific notation. #1921- Make compiling deterministic for tuple unpacking in a
{% set ... %}
call. #2021 - Fix dunder protocol (
copy
/pickle
/etc) interaction withUndefined
objects. #2025 - Fix
copy
/pickle
support for the internalmissing
object. #2027 Environment.overlay(enable_async)
is applied correctly. #2061- The error message from
FileSystemLoader
includes the paths that were searched. #1661 PackageLoader
shows a clearer error message when the package does not contain the templates directory. #1705- Improve annotations for methods returning copies. #1880
urlize
does not addmailto:
to values like@a@b
. #1870- Tests decorated with
@pass_context
can be used with the|select
filter. #1624 - Using
set
for multiple assignment (a, b = 1, 2
) does not fail when the target is a namespace attribute. #1413 - Using
set
in all branches of{% if %}{% elif %}{% else %}
blocks does not cause the variable to be considered initially undefined. #1253
3.1.4
This is the Jinja 3.1.4 security release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes.
PyPI: https://pypi.org/project/Jinja2/3.1.4/
Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-4
- The
xmlattr
filter does not allow keys with/
solidus,>
greater-than sign, or=
equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. GHSA-h75v-3vvj-5mfj
3.1.3
This is a fix release for the 3.1.x feature branch.
- Fix for GHSA-h5c8-rqwp-cp95. You are affected if you are using
xmlattr
and passing user input as attribute keys. - Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-3
- Milestone: https://github.com/pallets/jinja/milestone/15?closed=1
3.1.2
This is a fix release for the 3.1.0 feature release.
3.1.1
3.1.0
This is a feature release, which includes new features and removes previously deprecated features. The 3.1.x branch is now the supported bugfix branch, the 3.0.x branch has become a tag marking the end of support for that branch. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades. We also encourage upgrading to MarkupSafe 2.1.1, the latest version at this time.
3.0.3
3.0.2
3.0.1
3.0.0
New major versions of all the core Pallets libraries, including Jinja 3.0, have been released! ๐
- Read the announcement on our blog: https://palletsprojects.com/blog/flask-2-0-released/
- Read the full list of changes: https://jinja.palletsprojects.com/changes/#version-3-0-0
- Retweet the announcement on Twitter: https://twitter.com/PalletsTeam/status/1392266507296514048
- Follow our blog, Twitter, or GitHub to see future announcements.
This represents a significant amount of work, and there are quite a few changes. Be sure to carefully read the changelog, and use tools such as pip-compile and Dependabot to pin your dependencies and control your updates.