🔒 Security: Fix Jinja2 and py library vulnerabilities

[vinitkumar]

Security Fixes

This PR addresses two security vulnerabilities identified in the project dependencies:

🔐 Issues Fixed

1. Jinja2 <= 3.1.5 - ReDoS vulnerability (CVE-2024-22195)

   • Updated from to
   • Fixed in and regenerated

2. py <= 1.11.0 - ReDoS vulnerability in InfoSvnCommand

   • Removed the library entirely as no patch is available
   • The vulnerability only affects Subversion repository handling
   • Verified that this library was not actually needed for project functionality

✅ Testing

• All 153 tests pass successfully after the changes
• Dependencies reinstalled and verified working
• No breaking changes introduced

📋 Changes Made

• Updated to specify
• Removed from
• Regenerated both files using
• Verified test suite continues to pass

🔍 Security Impact

Both vulnerabilities have been resolved:

• Jinja2: Patched to latest secure version
• py: Removed entirely (was not required for functionality)

This PR resolves the security alerts identified by GitHub's Dependabot scanner.

Summary by Sourcery

Fix two ReDoS vulnerabilities by upgrading Jinja2 to 3.1.6, removing the unneeded py library, and regenerating requirement files with all tests passing

Bug Fixes:

• Patch Jinja2 to version 3.1.6 to address CVE-2024-22195 ReDoS vulnerability
• Remove py library to eliminate the ReDoS vulnerability in InfoSvnCommand

Enhancements:

• Regenerate requirements files with pip-compile after dependency updates

Documentation:

• Update requirements.txt and requirements.in files to reflect the dependency changes

[sourcery-ai]

Reviewer's Guide

Addresses ReDoS vulnerabilities by upgrading Jinja2, removing the unneeded py package, and regenerating all requirement lock files.

Class diagram for dependency management after security fixes

classDiagram
    class DependencyManager {
        +update_dependency(name, version)
        +remove_dependency(name)
        +regenerate_lock_files()
    }
    class Jinja2 {
        -version: string
    }
    class Py {
        -version: string
    }
    DependencyManager --> Jinja2 : manages
    DependencyManager --> Py : manages
    Jinja2 : version = "3.1.6"
    Py : removed

Loading

File-Level Changes

Change	Details	Files
Bumped Jinja2 to 3.1.6 to fix CVE-2024-22195	Updated jinja2 version in docs/requirements.txt Confirmed version bump in regenerated lock files	docs/requirements.txt
Removed py library due to ReDoS vulnerability in InfoSvnCommand	Deleted py entry from requirements-dev.in Validated removal had no functional impact	requirements-dev.in
Regenerated requirement lock files with pip-compile	Updated pip-compile invocation in docs/requirements.txt header Ran pip-compile requirements.in to regenerate docs/requirements.txt and requirements-dev.txt	docs/requirements.txt requirements-dev.txt

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey @vinitkumar - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 99.30%. Comparing base (e095a20) to head (0c2585a).
⚠️ Report is 6 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #243   +/-   ##
=======================================
  Coverage   99.30%   99.30%           
=======================================
  Files           3        3           
  Lines         288      288           
=======================================
  Hits          286      286           
  Misses          2        2           

Flag	Coverage Δ
unittests	99.30% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.