security: Fix Jinja2 and py library vulnerabilities (#243)

vinitkumar · web-flow · commit e4760444c52c · 2025-06-18T22:18:01.000+05:30
- Update Jinja2 from 3.1.5 to 3.1.6 to address ReDoS vulnerability - Remove py library (1.11.0) which has ReDoS vulnerability with no patch available - Regenerate requirements.txt files after dependency updates - Verify all 153 tests still pass after removing py library Fixes security vulnerabilities: - Jinja2 <= 3.1.5 (CVE-2024-22195) - py <= 1.11.0 (ReDoS in InfoSvnCommand)
diff --git a/docs/requirements.in b/docs/requirements.in
@@ -10,5 +10,5 @@ autodoc
 
 defusedxml
 tornado
-jinja2
+jinja2>=3.1.6
 idna
diff --git a/docs/requirements.txt b/docs/requirements.txt
@@ -2,7 +2,7 @@
 # This file is autogenerated by pip-compile with Python 3.12
 # by the following command:
 #
-#    pip-compile
+#    pip-compile requirements.in
 #
 alabaster==1.0.0
     # via sphinx
@@ -43,7 +43,7 @@ idna==3.10
     #   requests
 imagesize==1.4.1
     # via sphinx
-jinja2==3.1.5
+jinja2==3.1.6
     # via
     #   -r requirements.in
     #   sphinx
diff --git a/requirements-dev.in b/requirements-dev.in
@@ -5,7 +5,6 @@ pytest
 pytest-cov
 pytest-xdist>=3.5.0
 coverage
-py
 ruff>=0.3.0
 setuptools
 mypy>=1.0.0
diff --git a/requirements-dev.txt b/requirements-dev.txt
@@ -1,11 +1,15 @@
-# This file was autogenerated by uv via the following command:
-#    uv pip compile requirements-dev.in --output-file requirements-dev.txt
-coverage==7.6.11
+#
+# This file is autogenerated by pip-compile with Python 3.12
+# by the following command:
+#
+#    pip-compile requirements-dev.in
+#
+coverage[toml]==7.6.11
     # via
     #   -r requirements-dev.in
     #   pytest-cov
 defusedxml==0.7.1
-    # via -r requirements.in
+    # via -r /Users/vinitkumar/projects/python/json2xml/requirements.in
 execnet==2.1.1
     # via pytest-xdist
 iniconfig==2.0.0
@@ -18,8 +22,6 @@ packaging==24.2
     # via pytest
 pluggy==1.5.0
     # via pytest
-py==1.11.0
-    # via -r requirements-dev.in
 pytest==8.3.4
     # via
     #   -r requirements-dev.in
@@ -31,13 +33,14 @@ pytest-xdist==3.7.0
     # via -r requirements-dev.in
 ruff==0.11.13
     # via -r requirements-dev.in
-setuptools==80.9.0
-    # via -r requirements-dev.in
 types-setuptools==80.9.0.20250529
     # via -r requirements-dev.in
 typing-extensions==4.12.2
     # via mypy
 urllib3==2.3.0
-    # via -r requirements.in
+    # via -r /Users/vinitkumar/projects/python/json2xml/requirements.in
 xmltodict==0.14.2
     # via -r requirements-dev.in
+
+# The following packages are considered to be unsafe in a requirements file:
+# setuptools
