Bump jinja2 to 3.1.5 in llvm/docs/requirements-hashed.txt (#16717)

lucyli-ca · web-flow · commit ac035eb9c6cb · 2025-01-21T16:15:49.000Z
PR to bump dependency version to resolve security vulnerability found. In current version, Jinja has a sandbox breakout through malicious filenames - a bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used. Additional details: Weaknesses: CWE-150 CVE ID: CVE-2024-56201
diff --git a/llvm/docs/requirements-hashed.txt b/llvm/docs/requirements-hashed.txt
@@ -151,7 +151,7 @@ imagesize==1.4.1 \
     --hash=sha256:0d8d18d08f840c19d0ee7ca1fd82490fdc3729b7ac93f49870406ddde8ef8d8b \
     --hash=sha256:69150444affb9cb0d5cc5a92b3676f0b2fb7cd9ae39e947a5e11a36b4497cd4a
     # via sphinx
-jinja2==3.1.4 \
+jinja2==3.1.5 \
     --hash=sha256:4a3aee7acbbe7303aede8e9648d13b8bf88a429282aa6122a993f0ac800cb369 \
     --hash=sha256:bc5dd2abb727a5319567b7a813e6a2e7318c39f4f487cfe6c89c6f9c7d25197d
     # via
