bouncer icon indicating copy to clipboard operation
bouncer copied to clipboard

Published 20 hours ago verified publisher icon hypothesis

Bump jinja2 from 3.1.3 to 3.1.4 in /requirements

Open dependabot[bot] opened this issue 9 months ago • 0 comments

Bumps jinja2 from 3.1.3 to 3.1.4.

Release notes

Sourced from jinja2's releases.

3.1.4

This is the Jinja 3.1.4 security release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/Jinja2/3.1.4/ Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-4

  • The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. GHSA-h75v-3vvj-5mfj
Changelog

Sourced from jinja2's changelog.

Version 3.1.4

Released 2024-05-05

  • The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. :ghsa:h75v-3vvj-5mfj
Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the Security Alerts page.

dependabot[bot] avatar May 06 '24 20:05 dependabot[bot]

This isn't something we've discussed recently but definitely worth considering. Even though Electron does a lot of work for us, we're cautious about the potential overhead of adding additional means of delivery for Hypothesis that we need to maintain.

Something like a Chrome App might be an simpler way of delivering a lightweight-feeling viewer for academic papers - though I haven't investigated this in detail myself.

robertknight avatar Dec 28 '15 11:12 robertknight

@robertknight: Thanks for the reply! I understand your point about additional overhead. Personally, I'm not a fan of the Chrome App route, given that I prefer Firefox. :) Also, this would continue to rely on me having a browser open, I believe.

Please keep me posted on your plans. As I said, I'm not a developer, but I'd be happy to help with testing and feedback.

RaoOfPhysics avatar Dec 28 '15 17:12 RaoOfPhysics

In the near term the first thing we are currently aiming to ship is a proper Firefox extension and we'd appreciate help with testing that. Offline support will most likely happen later.

Both Electron and Chrome Apps are actually Chrome browsers with two major differences from a user's point of view - they show up as independent apps in the desktop and they don't show the standard browser chrome (tabs, omnibox, menus). A Chrome App does need to be installed via Chrome in the first place however. Once installed you can run one without launching Chrome itself.

robertknight avatar Dec 28 '15 18:12 robertknight

In the near term the first thing we are currently aiming to ship is a proper Firefox extension and we'd appreciate help with testing that.

Happy to help!

Offline support will most likely happen later.

Yeah, I've been following hypothesis/h and hypothesis/vision. :)

Both Electron and Chrome Apps are actually Chrome browsers […]

True, but I don't believe Electron apps actually need a browser installed in the first place. Also, as I understand it, it is built on a really stripped-down version of Chromium and also offers more desktop integration.

RaoOfPhysics avatar Dec 28 '15 18:12 RaoOfPhysics

Hello Robert,

Any news about the Firefox extension? All the best max

maxmaronna avatar Aug 14 '20 19:08 maxmaronna

Hi max - Sorry, not yet. There are several PRs open from an external contributor but they are still waiting for review from us.

robertknight avatar Aug 15 '20 08:08 robertknight