Skip to content

[Build/CI] Upgrade jinja2 to get 3 moderate CVE fixes #14839

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 15, 2025
Merged

[Build/CI] Upgrade jinja2 to get 3 moderate CVE fixes #14839

merged 1 commit into from
Mar 15, 2025

Conversation

@russellb
Copy link
Member

@russellb russellb commented Mar 14, 2025

Versions prior to 3.1.6 are vulnerable to these 3 CVEs. We should ensure
we are using >=3.1.6 to avoid any potential security vulnerability via
jinja2.

Signed-off-by: Russell Bryant [email protected]

@russellb
[Build/CI] Upgrade jinja2 to get 3 moderate CVE fixes
3145f32 
Versions prior to 3.1.6 are vulnerable to these 3 CVEs. We should ensure
we are using >=3.1.6 to avoid any potential security vulnerability via
jinja2.

* GHSA-gmj6-6f8f-6699
* GHSA-q2x7-8rv6-6q7h
* GHSA-cpwx-vrp4-4pq7

Signed-off-by: Russell Bryant <[email protected]>
@github-actions
Copy link

github-actions bot commented Mar 14, 2025

👋 Hi! Thank you for contributing to the vLLM project.

💬 Join our developer Slack at https://slack.vllm.ai to discuss your PR in #pr-reviews, coordinate on features in #feat- channels, or join special interest groups in #sig- channels.

Just a reminder: PRs would not trigger full CI run by default. Instead, it would only run fastcheck CI which starts running only a small and essential subset of CI tests to quickly catch errors. You can run other CI tests on top of those by going to your fastcheck build on Buildkite UI (linked in the PR checks section) and unblock them. If you do not have permission to unblock, ping simon-mo or khluu to add you in our Buildkite org.

Once the PR is approved and ready to go, your PR reviewer(s) can run CI to test the changes comprehensively before merging.

To run CI, PR reviewers can either: Add ready label to the PR or enable auto-merge.

🚀

@robertgshaw2-redhat robertgshaw2-redhat enabled auto-merge (squash) March 14, 2025 19:28
@mergify mergify bot added the ci/build label Mar 14, 2025
@github-actions github-actions bot added the ready ONLY add when PR is ready to merge/full CI is needed label Mar 14, 2025
@robertgshaw2-redhat robertgshaw2-redhat merged commit ee3778d into vllm-project:main Mar 15, 2025
67 checks passed
lulmer pushed a commit to lulmer/vllm that referenced this pull request Apr 7, 2025
@russellb @lulmer
[Build/CI] Upgrade jinja2 to get 3 moderate CVE fixes (vllm-project#1…
12e3b38 
…4839)

Signed-off-by: Russell Bryant <[email protected]>
Signed-off-by: Louis Ulmer <[email protected]>
@ckhordiasma ckhordiasma mentioned this pull request Apr 17, 2025
Closed
shreyankg pushed a commit to shreyankg/vllm that referenced this pull request May 3, 2025
@russellb @shreyankg
[Build/CI] Upgrade jinja2 to get 3 moderate CVE fixes (vllm-project#1…
404c78e 
…4839)

Signed-off-by: Russell Bryant <[email protected]>
RichardoMrMu pushed a commit to RichardoMrMu/vllm that referenced this pull request May 12, 2025
@russellb
[Build/CI] Upgrade jinja2 to get 3 moderate CVE fixes (vllm-project#1…
dfc8aa0 
…4839)

Signed-off-by: Russell Bryant <[email protected]>
Signed-off-by: Mu Huai <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@robertgshaw2-redhat robertgshaw2-redhat robertgshaw2-redhat approved these changes

Assignees

No one assigned

Labels

ci/build ready ONLY add when PR is ready to merge/full CI is needed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@russellb @robertgshaw2-redhat