From 143eb2efc7b644bc8db4280da0d6582a6f1cd58f Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sun, 22 Dec 2024 18:09:58 +0100 Subject: [PATCH] python312Packages.jinja2: 3.1.4 -> 3.1.5 https://github.com/pallets/jinja/releases/tag/3.1.5 https://github.com/pallets/jinja/security/advisories/GHSA-q2x7-8rv6-6q7h https://github.com/pallets/jinja/security/advisories/GHSA-gmj6-6f8f-6699 Fixes: CVE-2024-56326, CVE-2024-56201 --- .../python-modules/jinja2/default.nix | 26 ++++++++++--------- 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/pkgs/development/python-modules/jinja2/default.nix b/pkgs/development/python-modules/jinja2/default.nix index 995f436a8242a..d9c5c674eb9e7 100644 --- a/pkgs/development/python-modules/jinja2/default.nix +++ b/pkgs/development/python-modules/jinja2/default.nix @@ -21,19 +21,29 @@ buildPythonPackage rec { pname = "jinja2"; - version = "3.1.4"; + version = "3.1.5"; pyproject = true; disabled = pythonOlder "3.7"; src = fetchPypi { inherit pname version; - hash = "sha256-Sjruesu+cwOu3o6WSNE7i/iKQpKCqmEiqZPwrIAMs2k="; + hash = "sha256-j+//jcMDTie7gNZ8Zx64qbxCTA70wIJu2/8wTM7/Q7s="; }; - nativeBuildInputs = [ flit-core ]; + postPatch = '' + # Do not test with trio, it increases jinja2's dependency closure by a lot + # and everyone consuming these dependencies cannot rely on sphinxHook, + # because sphinx itself depends on jinja2. + substituteInPlace tests/test_async{,_filters}.py \ + --replace-fail "import trio" "" \ + --replace-fail ", trio.run" "" \ + --replace-fail ", \"trio\"" "" + ''; - propagatedBuildInputs = [ markupsafe ]; + build-system = [ flit-core ]; + + dependencies = [ markupsafe ]; optional-dependencies = { i18n = [ babel ]; @@ -45,14 +55,6 @@ buildPythonPackage rec { nativeCheckInputs = [ pytestCheckHook ] ++ optional-dependencies.i18n; - disabledTests = lib.optionals (pythonAtLeast "3.13") [ - # https://github.com/pallets/jinja/issues/1900 - "test_custom_async_iteratable_filter" - "test_first" - "test_loop_errors" - "test_package_zip_list" - ]; - passthru.doc = stdenv.mkDerivation { # Forge look and feel of multi-output derivation as best as we can. #