Bump jinja2 from 3.1.5 to 3.1.6 in /docs/cloud-workload-security/scripts

[dependabot]

Bumps jinja2 from 3.1.5 to 3.1.6.

Release notes

Sourced from jinja2's releases.

3.1.6

This is the Jinja 3.1.6 security release, which fixes security issues but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Jinja2/3.1.6/ Changes: https://jinja.palletsprojects.com/en/stable/changes/#version-3-1-6

• The |attr filter does not bypass the environment's attribute lookup, allowing the sandbox to apply its checks. GHSA-cpwx-vrp4-4pq7

Changelog

Sourced from jinja2's changelog.

Version 3.1.6

Released 2025-03-05

• The |attr filter does not bypass the environment's attribute lookup, allowing the sandbox to apply its checks. :ghsa:cpwx-vrp4-4pq7

Commits

• 1520688 release version 3.1.6
• 90457bb Merge commit from fork
• 065334d attr filter uses env.getattr
• 033c200 start version 3.1.6
• bc68d4e use global contributing guide (#2070)
• 247de5e use global contributing guide
• ab8218c use project advisory link instead of global
• b4ffc8f release version 3.1.5 (#2066)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[paulcacheux]

/merge

[dd-devflow]

View all feedbacks in Devflow UI.
2025-03-14 14:14:23 UTC ℹ️ Start processing command /merge

---

2025-03-14 14:14:32 UTC ℹ️ MergeQueue: waiting for PR to be ready

This merge request is not mergeable yet, because of pending checks/missing approvals. It will be added to the queue as soon as checks pass and/or get approvals.
Note: if you pushed new commits since the last approval, you may need additional approval.
You can remove it from the waiting list with /remove command.

---

2025-03-14 18:15:04 UTC ⚠️ MergeQueue: This merge request was unqueued

devflow unqueued this merge request: It did not become mergeable within the expected time

[agent-platform-auto-pr]

Uncompressed package size comparison

Comparison with ancestor 841fd5b719f5e23615b9fe0a17fd3da9bbc41b2a

Diff per package

package	diff	status	size	ancestor	threshold
datadog-agent-amd64-deb	0.00MB	✅	807.48MB	807.48MB	0.50MB
datadog-agent-x86_64-rpm	0.00MB	✅	817.27MB	817.27MB	0.50MB
datadog-agent-x86_64-suse	0.00MB	✅	817.27MB	817.27MB	0.50MB
datadog-agent-arm64-deb	0.00MB	✅	798.45MB	798.45MB	0.50MB
datadog-agent-aarch64-rpm	0.00MB	✅	808.22MB	808.22MB	0.50MB
datadog-dogstatsd-amd64-deb	0.00MB	✅	39.34MB	39.34MB	0.50MB
datadog-dogstatsd-x86_64-rpm	0.00MB	✅	39.42MB	39.42MB	0.50MB
datadog-dogstatsd-x86_64-suse	0.00MB	✅	39.42MB	39.42MB	0.50MB
datadog-dogstatsd-arm64-deb	0.00MB	✅	37.87MB	37.87MB	0.50MB
datadog-heroku-agent-amd64-deb	0.00MB	✅	440.39MB	440.39MB	0.50MB
datadog-iot-agent-amd64-deb	0.00MB	✅	62.20MB	62.20MB	0.50MB
datadog-iot-agent-x86_64-rpm	0.00MB	✅	62.27MB	62.27MB	0.50MB
datadog-iot-agent-x86_64-suse	0.00MB	✅	62.27MB	62.27MB	0.50MB
datadog-iot-agent-arm64-deb	0.00MB	✅	59.42MB	59.42MB	0.50MB
datadog-iot-agent-aarch64-rpm	0.00MB	✅	59.49MB	59.49MB	0.50MB

Decision

✅ Passed

[agent-platform-auto-pr]

Static quality checks ✅

Please find below the results from static quality gates

Successful checks

Info

Result	Quality gate	On disk size	On disk size limit	On wire size	On wire size limit
✅	static_quality_gate_agent_deb_amd64	781.08 MiB	801.8 MiB	190.69 MiB	202.62 MiB
✅	static_quality_gate_agent_deb_arm64	772.45 MiB	793.14 MiB	173.76 MiB	184.51 MiB
✅	static_quality_gate_agent_rpm_amd64	781.07 MiB	801.79 MiB	193.37 MiB	205.03 MiB
✅	static_quality_gate_agent_rpm_arm64	772.44 MiB	793.09 MiB	174.52 MiB	186.44 MiB
✅	static_quality_gate_agent_suse_amd64	781.07 MiB	801.81 MiB	193.37 MiB	205.03 MiB
✅	static_quality_gate_agent_suse_arm64	772.44 MiB	793.14 MiB	174.52 MiB	186.44 MiB
✅	static_quality_gate_dogstatsd_deb_amd64	37.59 MiB	47.67 MiB	9.74 MiB	19.78 MiB
✅	static_quality_gate_dogstatsd_deb_arm64	36.19 MiB	46.27 MiB	8.45 MiB	18.49 MiB
✅	static_quality_gate_dogstatsd_rpm_amd64	37.59 MiB	47.67 MiB	9.75 MiB	19.79 MiB
✅	static_quality_gate_dogstatsd_suse_amd64	37.59 MiB	47.67 MiB	9.75 MiB	19.79 MiB
✅	static_quality_gate_iot_agent_deb_amd64	59.39 MiB	69.0 MiB	14.92 MiB	24.8 MiB
✅	static_quality_gate_iot_agent_deb_arm64	56.74 MiB	66.4 MiB	12.89 MiB	22.8 MiB
✅	static_quality_gate_iot_agent_rpm_amd64	59.39 MiB	69.0 MiB	14.95 MiB	24.8 MiB
✅	static_quality_gate_iot_agent_rpm_arm64	56.74 MiB	66.4 MiB	12.88 MiB	22.8 MiB
✅	static_quality_gate_iot_agent_suse_amd64	59.39 MiB	69.0 MiB	14.95 MiB	24.8 MiB
✅	static_quality_gate_docker_agent_amd64	866.22 MiB	886.12 MiB	291.45 MiB	304.21 MiB
✅	static_quality_gate_docker_agent_arm64	880.87 MiB	900.79 MiB	277.88 MiB	290.47 MiB
✅	static_quality_gate_docker_agent_jmx_amd64	1.04 GiB	1.06 GiB	366.55 MiB	379.33 MiB
✅	static_quality_gate_docker_agent_jmx_arm64	1.04 GiB	1.06 GiB	348.93 MiB	361.55 MiB
✅	static_quality_gate_docker_dogstatsd_amd64	45.73 MiB	55.78 MiB	17.25 MiB	27.28 MiB
✅	static_quality_gate_docker_dogstatsd_arm64	44.37 MiB	54.45 MiB	16.13 MiB	26.16 MiB
✅	static_quality_gate_docker_cluster_agent_amd64	264.87 MiB	274.78 MiB	106.3 MiB	116.28 MiB
✅	static_quality_gate_docker_cluster_agent_arm64	280.81 MiB	290.82 MiB	101.13 MiB	111.12 MiB

[agent-platform-auto-pr]

[Fast Unit Tests Report]

On pipeline 58850785 (CI Visibility). The following jobs did not run any unit tests:

Jobs:

• tests_deb-arm64-py3
• tests_deb-x64-py3
• tests_flavor_dogstatsd_deb-x64
• tests_flavor_heroku_deb-x64
• tests_flavor_iot_deb-x64
• tests_rpm-arm64-py3
• tests_rpm-x64-py3
• tests_windows-x64

If you modified Go files and expected unit tests to run in these jobs, please double check the job logs. If you think tests should have been executed reach out to #agent-devx-help

[cit-pr-commenter]

Regression Detector

Regression Detector Results

Metrics dashboard
Target profiles
Run ID: 854ebb16-9d98-4881-9c87-ca4771e27838

Baseline: 841fd5b
Comparison: 5d20e08
Diff

Optimization Goals: ✅ No significant changes detected

Fine details of change detection per experiment

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	quality_gate_logs	% cpu utilization	+3.48	[+0.61, +6.35]	1	Logs
➖	quality_gate_idle_all_features	memory utilization	+0.84	[+0.77, +0.91]	1	Logs bounds checks dashboard
➖	uds_dogstatsd_to_api_cpu	% cpu utilization	+0.58	[-0.24, +1.41]	1	Logs
➖	quality_gate_idle	memory utilization	+0.53	[+0.48, +0.58]	1	Logs bounds checks dashboard
➖	file_to_blackhole_500ms_latency	egress throughput	+0.09	[-0.69, +0.87]	1	Logs
➖	file_to_blackhole_300ms_latency	egress throughput	+0.02	[-0.61, +0.65]	1	Logs
➖	file_to_blackhole_0ms_latency_http1	egress throughput	+0.01	[-0.74, +0.76]	1	Logs
➖	tcp_dd_logs_filter_exclude	ingress throughput	+0.01	[-0.01, +0.02]	1	Logs
➖	uds_dogstatsd_20mb_12k_contexts_20_senders	memory utilization	+0.00	[-0.04, +0.04]	1	Logs
➖	uds_dogstatsd_to_api	ingress throughput	-0.00	[-0.28, +0.27]	1	Logs
➖	file_to_blackhole_0ms_latency_http2	egress throughput	-0.00	[-0.86, +0.85]	1	Logs
➖	file_to_blackhole_100ms_latency	egress throughput	-0.01	[-0.71, +0.68]	1	Logs
➖	file_to_blackhole_0ms_latency	egress throughput	-0.02	[-0.82, +0.79]	1	Logs
➖	file_to_blackhole_1000ms_latency	egress throughput	-0.07	[-0.83, +0.70]	1	Logs
➖	file_to_blackhole_1000ms_latency_linear_load	egress throughput	-0.10	[-0.56, +0.37]	1	Logs
➖	file_tree	memory utilization	-0.39	[-0.50, -0.28]	1	Logs
➖	tcp_syslog_to_blackhole	ingress throughput	-0.52	[-0.58, -0.46]	1	Logs

Bounds Checks: ✅ Passed

perf	experiment	bounds_check_name	replicates_passed	links
✅	file_to_blackhole_0ms_latency	lost_bytes	10/10
✅	file_to_blackhole_0ms_latency	memory_usage	10/10
✅	file_to_blackhole_0ms_latency_http1	lost_bytes	10/10
✅	file_to_blackhole_0ms_latency_http1	memory_usage	10/10
✅	file_to_blackhole_0ms_latency_http2	lost_bytes	10/10
✅	file_to_blackhole_0ms_latency_http2	memory_usage	10/10
✅	file_to_blackhole_1000ms_latency	memory_usage	10/10
✅	file_to_blackhole_1000ms_latency_linear_load	memory_usage	10/10
✅	file_to_blackhole_100ms_latency	lost_bytes	10/10
✅	file_to_blackhole_100ms_latency	memory_usage	10/10
✅	file_to_blackhole_300ms_latency	lost_bytes	10/10
✅	file_to_blackhole_300ms_latency	memory_usage	10/10
✅	file_to_blackhole_500ms_latency	lost_bytes	10/10
✅	file_to_blackhole_500ms_latency	memory_usage	10/10
✅	quality_gate_idle	intake_connections	10/10	bounds checks dashboard
✅	quality_gate_idle	memory_usage	10/10	bounds checks dashboard
✅	quality_gate_idle_all_features	intake_connections	10/10	bounds checks dashboard
✅	quality_gate_idle_all_features	memory_usage	10/10	bounds checks dashboard
✅	quality_gate_logs	intake_connections	10/10
✅	quality_gate_logs	lost_bytes	10/10
✅	quality_gate_logs	memory_usage	10/10

Explanation

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

Performance changes are noted in the perf column of each table:

• ✅ = significantly better comparison variant performance
• ❌ = significantly worse comparison variant performance
• ➖ = no significant change in performance

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

3. Its configuration does not mark it "erratic".

CI Pass/Fail Decision

✅ Passed. All Quality Gates passed.

• quality_gate_logs, bounds check lost_bytes: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check intake_connections: 10/10 replicas passed. Gate passed.