:arrow_up: Updates Jinja2 to v3.1.6 [SECURITY] by renovate[bot] · Pull Request #3547 · AlexRogalskiy/java-patterns

renovate · 2026-03-30T22:32:07Z

This PR contains the following updates:

Package	Change	Age	Confidence
Jinja2 (changelog)	`==3.0.3` → `==3.1.6`

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2024-22195

The xmlattr filter in affected versions of Jinja accepts keys containing spaces. XML/HTML attributes cannot contain spaces, as each would then be interpreted as a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. Note that accepting keys as user input is not common or a particularly intended use case of the xmlattr filter, and an application doing so should already be verifying what keys are provided regardless of this fix.

CVE-2024-34064

The xmlattr filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, /, >, or =, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for the previous GHSA-h5c8-rqwp-cp95 CVE-2024-22195 only addressed spaces but not other characters.

Accepting keys as user input is now explicitly considered an unintended use case of the xmlattr filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting values as user input continues to be safe.

CVE-2024-56326

An oversight in how the Jinja sandboxed environment detects calls to str.format allows an attacker that controls the content of a template to execute arbitrary Python code.

To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.

Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's format method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.

CVE-2024-56201

A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used.

To exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename.

CVE-2025-27516

An oversight in how the Jinja sandboxed environment interacts with the |attr filter allows an attacker that controls the content of a template to execute arbitrary Python code.

To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.

Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to use the |attr filter to get a reference to a string's plain format method, bypassing the sandbox. After the fix, the |attr filter no longer bypasses the environment's attribute lookup.

Release Notes

pallets/jinja (Jinja2)

`v3.1.6`

Compare Source

Released 2025-03-05

The |attr filter does not bypass the environment's attribute lookup,
allowing the sandbox to apply its checks. :ghsa:cpwx-vrp4-4pq7

`v3.1.5`

Compare Source

Released 2024-12-21

The sandboxed environment handles indirect calls to str.format, such as
by passing a stored reference to a filter that calls its argument.
:ghsa:q2x7-8rv6-6q7h
Escape template name before formatting it into error messages, to avoid
issues with names that contain f-string syntax.
:issue:1792, :ghsa:gmj6-6f8f-6699
Sandbox does not allow clear and pop on known mutable sequence
types. :issue:2032
Calling sync render for an async template uses asyncio.run.
:pr:1952
Avoid unclosed auto_aiter warnings. :pr:1960
Return an aclose-able AsyncGenerator from
Template.generate_async. :pr:1960
Avoid leaving root_render_func() unclosed in
Template.generate_async. :pr:1960
Avoid leaving async generators unclosed in blocks, includes and extends.
:pr:1960
The runtime uses the correct concat function for the current environment
when calling block references. :issue:1701
Make |unique async-aware, allowing it to be used after another
async-aware filter. :issue:1781
|int filter handles OverflowError from scientific notation.
:issue:1921
Make compiling deterministic for tuple unpacking in a {% set ... %}
call. :issue:2021
Fix dunder protocol (copy/pickle/etc) interaction with Undefined
objects. :issue:2025
Fix copy/pickle support for the internal missing object.
:issue:2027
Environment.overlay(enable_async) is applied correctly. :pr:2061
The error message from FileSystemLoader includes the paths that were
searched. :issue:1661
PackageLoader shows a clearer error message when the package does not
contain the templates directory. :issue:1705
Improve annotations for methods returning copies. :pr:1880
urlize does not add mailto: to values like @a@b. :pr:1870
Tests decorated with @pass_context`` can be used with the ``|select`` filter. :issue:1624`
Using set for multiple assignment (a, b = 1, 2) does not fail when the
target is a namespace attribute. :issue:1413
Using set in all branches of {% if %}{% elif %}{% else %} blocks
does not cause the variable to be considered initially undefined.
:issue:1253

`v3.1.4`

Compare Source

Released 2024-05-05

The xmlattr filter does not allow keys with / solidus, >
greater-than sign, or = equals sign, in addition to disallowing spaces.
Regardless of any validation done by Jinja, user input should never be used
as keys to this filter, or must be separately validated first.
:ghsa:h75v-3vvj-5mfj

`v3.1.3`

Compare Source

Released 2024-01-10

Fix compiler error when checking if required blocks in parent templates are
empty. :pr:1858
xmlattr filter does not allow keys with spaces. :ghsa:h5c8-rqwp-cp95
Make error messages stemming from invalid nesting of {% trans %} blocks
more helpful. :pr:1918

`v3.1.2`

Compare Source

Released 2022-04-28

Add parameters to Environment.overlay to match __init__.
:issue:1645
Handle race condition in FileSystemBytecodeCache. :issue:1654

`v3.1.1`

Compare Source

Released 2022-03-25

The template filename on Windows uses the primary path separator.
:issue:1637

`v3.1.0`

Compare Source

Released 2022-03-24

Drop support for Python 3.6. :pr:1534
Remove previously deprecated code. :pr:1544
- WithExtension and AutoEscapeExtension are built-in now.
- contextfilter and contextfunction are replaced by
  pass_context. evalcontextfilter and
  evalcontextfunction are replaced by pass_eval_context.
  environmentfilter and environmentfunction are replaced
  by pass_environment.
- Markup and escape should be imported from MarkupSafe.
- Compiled templates from very old Jinja versions may need to be
  recompiled.
- Legacy resolve mode for Context subclasses is no longer
  supported. Override resolve_or_missing instead of
  resolve.
- unicode_urlencode is renamed to url_quote.
Add support for native types in macros. :issue:1510
The {% trans %} tag can use pgettext and npgettext by
passing a context string as the first token in the tag, like
{% trans "title" %}. :issue:1430
Update valid identifier characters from Python 3.6 to 3.7.
:pr:1571
Filters and tests decorated with @async_variant are pickleable.
:pr:1612
Add items filter. :issue:1561
Subscriptions ([0], etc.) can be used after filters, tests, and
calls when the environment is in async mode. :issue:1573
The groupby filter is case-insensitive by default, matching
other comparison filters. Added the case_sensitive parameter to
control this. :issue:1463
Windows drive-relative path segments in template names will not
result in FileSystemLoader and PackageLoader loading from
drive-relative paths. :pr:1621

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Moscow, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate · 2026-03-30T22:32:10Z

Branch automerge failure

This PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.

Branch has one or more failed status checks

github-actions · 2026-03-30T22:33:04Z

@check-spelling-bot Report

Unrecognized words, please review:

adr
akka
alexrogalskiy
allcontributors
api
arcver
assing
badgen
BETTERCODE
betterjavacode
blogspot
boopickle
bootcamp
brightgreen
bugfixes
buymeacoffee
ceb
codeready
codesandbox
codetriage
committers
configmaps
debezium
demystified
dependabot
devcases
devfile
dirtyreload
DOI
dreamix
dropdown
eab
eap
eisele
embeddableinstantiator
embeddables
facebook
fastai
fastpages
fastparse
firsttimersonly
flushmode
forthebadge
frapsoft
freemarker
FRP
fthomas
gerrit
getquill
GIFs
gitbook
gitflow
githubbox
gitpod
GPLv
Gradle
grunwald
guideslines
gunnar
Hashids
Hasids
helloworld
hitsofcode
hmil
infoworld
insidejava
Instantiator
IPhone
istio
janssen
japgolly
javacodegeeks
javafx
javamelody
javaone
JAVAPROG
jboss
jcliff
jdbc
jdk
jextract
jfr
jfrunit
johan
jpa
JRE
jsonignore
jsp
jsparty
julienrf
Jupyter
kubernetes
latestdoi
LETSTALK
letstalkaboutjava
LGPL
LGPLv
lihaoyi
liskov
logfile
mades
makeapullrequest
markdownguide
markus
matryoshka
mcve
mega
microservices
milessabin
mirrorring
mkdocs
modelviewculture
monix
mtl
mutationquery
namespaces
nestjs
Netflix
newreleases
nullables
nvie
objectmappers
odl
openapi
opengraph
opentelemetry
osslifecycle
oyanglul
pagespeedresultmobile
pasteable
patreon
paypal
PITMP
plumbr
podcast
precog
pufler
pypa
quarkus
quicklens
RANDOMTHOUGHTS
randomthoughtsonjavaprogramming
rce
reactify
readthedocs
reddit
renovatebot
reporoster
repostatus
resteasy
rfm
Rogalskiy
rogalsky
rubyonrails
runtimes
scalacss
scalafiddle
scalafmt
scalajs
scalameta
scalanlp
scalastyle
scalaz
scm
seeyoufarm
selectionquery
softwaremill
sourcegraph
spamming
splunk
sql
squants
squbs
sscce
stakeholders
starchart
sttp
stylegu
suggestig
suzaku
thejavaprogrammer
thorben
tilda
tokei
trufoj
tsb
tsbleo
tscojc
tscqlg
tsd
tsdllr
typelevel
udash
upickle
urt
ussue
violoate
vos
wget
wildfly
wix
workspaces
zenodo
zgc
zio

Previously acknowledged words that are now absent

acl activesupport adaoraul addons aeiou AFile afterall Alexey alfredxing algolia allowfullscreen Anatoliy andreyvit Ankit Anning apps appveyor arengu args ariejan arounds asciinema asdf ashmaroli attr Autobuild autocompletion autogenerated Autolink autoload autoreconf autosave awood awscli backport backtick barcamp baseurl bashrc baz bbatsov bdimcheff bellvat benbalter Beney binstubs bip bitbucket Blogger blogging bonafide Bou breadcrumbs briandoll bridgetown bridgetownrb brightbox brighterplanet buddyworks Bugfix Burela byparker cachegrind calavera callgraphs cartera cavalle CDNs cgi changefreq chango charset Chayoung chcp chdir Cheatsheet Checkoway chmod chown Chrononaut chruby cibuild cimg circleci CJK classname cloudcannon Cloudinary cloudsh CLT CODEOWNERS coderay codeslinger coffeescript colorator commandline commonmark compat compatibilize concat configyml contentblocks CORS Cov CRLFs cron crontab cruft css csv Currin CVE CWD cygwin daringfireball Dassonville datafiles datetime DCEU Debian debuggability defunkt delegators deployer deps dest Devkit devops digitalocean dirs disqus ditaa dnf doclist doctype doeorg dommmel dotfile Dousse downcase downcased duckduckgo duritong Dusseau dysinger ecf editorconfig eduardoboucas Elasticsearch elsif Emacs emails endcapture endcomment endfor endhighlight endif endraw endrender endtablerow Enumerables EOL erb errordocument Espinaco eugenebolshakov evaled exe execjs extensionpack extname exts favicon Fengyun ffi figcaption filesystem Finazzo firstimage FIXME flakey flickr fnmatch fontello forloop formcake formcarry formester formingo formkeep formspark formspree formx Forwardable frameborder freenode frontend frontmatter fsnotify ftp fullstory Gaudino gcc gcnovus gemfile gemset gemspec getform getset getsimpleform gettalong gfm ghp ghpages giraffeacademy githubcom gitignore gitlab gjtorikian globbed globbing google gotcha Goulven gridism GSo gsub gsubbing Hakiri hardcode hashbang hashmap helaili henrik heredoc heroku highlighter hilighting Hoizey hostman hostname htaccess htm htmlproofer httpd httpdocs hyperlinks Iaa ial ico icomoon iconset ified iframe Impl Inlining invokables irc ivey ize jalali jameshamann jamstackthemes jan Jax jayferd jcon jdoe jeffreytse jeffrydegrande Jekpack jekyllbot jekyllconf Jekyllers Jekyllin Jekylling jekyllized jekylllayoutconcept jekyllrb jekyllthemes jemoji jmcglone jneen johnreilly jpg jqr jruby jsonify juretta jwarby Kacper Kasberg kbd Kentico Kewin keycdn kickster Kinnula kiwifruit Kolesky konklone kontent Kotvinsky kramdown Kulig Kwokfu Lamprecht laquo lastmod launchctl launchy laurilehmijoki ldquo learnxinyminutes lexer LGTM libcurl libffi lightgray limjh linenos linkify linux liufengyun livereload localheinz localtime Locher loglevel Losslessly lovin lsi lsquo lstrip lyche macos macromates mademistakes Manmeet markdownify Maroli Marsceill maruku mathjax mathml mattr Maximiliano mchung mdash memberspace Memoize memoized memoizing mentoring mergable Mertcan mertkahyaoglu microdata mimetype mingw minibundle minifier minitest Mittal mixin mkasberg mkd mkdir mkdn mkdown mmistakes modernizr mojombo moncefbelyamani moz mreid msdn mswin MSYS mtime multiline munging Mvvm myblog mycontent mydata mydoc myimage mypage myposts myproject myrepo mysite myvalue myvar myvariable Nadjib nakanishi namespace namespaced navbar nbsp nearlyfreespeech nethack netlify netlifycms Neue nginx ngx nielsenramon nior noifniof nokogiri notextile onclick onebox oneclick onschedule openssl Optim orderofinterpretation orgs OSVDB osx packagecontrol pacman paginator pandoc pantulis params parkr parseable paspagon passthrough pathawks Pathutil paywall pdf Pelykh permalink PHP pinboard Piwigo pjhyett pkill pkpass placeholders planetjekyll plantuml plugin podcasts popen Porcel Posterous postfiles postlayout postmodern prefetching preinstalled prepends Prioritise Probot projectlist pubstorm pufuwozu pwa pwd pygments qrush Quaid rackup Rakefile razorops rbenv rdiscount rdoc rdquo realz rebund redcarpet redcloth redgreen refactor Refheap regen regex regexp remi reqs Responsify revertable rfc rfelix RHEL ridk roadmap rowspan rspec rsquo rstrip rsync rtomayko Rubo rubocop rubychan rubygem rubyinstaller rubyprof Ruparelia Rusiczki rvm ryanflorence saas samplelist samrayner sandboxed Sassc sassify schemastore Schroers Schwartzian scp scrollbar scroller scss scssify sdk SDKROOT sectore seo serverless setenv SFTP shingo shopify shortlog shoulda sieversii sigpipe simplecov Singhaniya siteleaf sitemap SITENAME Slicehost slugified slugify smartforms smartify snipcart somedir sonnym Sonomy sourced sourcemaps spam spotify ssg ssh SSL staticfiles staticman statictastic STDERR stdout Stickyposts strftime stringified Stringify stylesheet subdir subdomain subfolder subfolderitems subnav subpages subpath subpiece subsubfolderitems subthing subvalues subwidget sudo superdirectories superdirs SUSE sverrirs svn swfobject swupd symlink symlinking tablerow tada Taillandier talkyard tbody technicalpickles templating templatize Termux textilize textpattern thead therubyracer Theunissen Thornquest thoughtbot throughs Tidelift timeago timezone titleize TLS tmm tmp toc tok tomjoht toml tomo toolset toshimaru triaged triaging truncatewords tsv ttf Tudou Tumblr Tweetsert txtpen Tyborska tzinfo ubuntu uby ujh ultron undumpable unencode Unescape unescaping unicode uniq upcase uppercasing uri urlset username usr utf utils utime vanpelt Vasovi vendored vercel versioned vertycal Veyor vilcans Vishesh visualstudio vnd vohedge vps vscode vwochnik Walkthroughs wdm We'd webfont webhook webhosting webmentions webrick weekdate whitelist whitelisting wikipedia wildcards willcodeforfoo woff wordpress Workaround wsl xcode xcrun xdg Xhmikos xhtml Xiaoiver XMinutes xmlns xmlschema yajl Yarp Yashu Yastreb Youku youtube yunbox zeropadding Zlatan zlib zoneinfo zpinter Zsh zshrc zypper zzot

To accept these unrecognized words as correct (and remove the previously acknowledged and now absent words), run the following commands

... in a clone of the git@github.com:AlexRogalskiy/java-patterns.git repository
on the renovate/pypi-jinja2-vulnerability branch:

update_files() {
perl -e '
my @expect_files=qw('".github/actions/spelling/expect.txt"');
@ARGV=@expect_files;
my @stale=qw('"$patch_remove"');
my $re=join "|", @stale;
my $suffix=".".time();
my $previous="";
sub maybe_unlink { unlink($_[0]) if $_[0]; }
while (<>) {
if ($ARGV ne $old_argv) { maybe_unlink($previous); $previous="$ARGV$suffix"; rename($ARGV, $previous); open(ARGV_OUT, ">$ARGV"); select(ARGV_OUT); $old_argv = $ARGV; }
next if /^(?:$re)(?:(?:\r|\n)*$| .*)/; print;
}; maybe_unlink($previous);'
perl -e '
my $new_expect_file=".github/actions/spelling/expect.txt";
use File::Path qw(make_path);
use File::Basename qw(dirname);
make_path (dirname($new_expect_file));
open FILE, q{<}, $new_expect_file; chomp(my @words = <FILE>); close FILE;
my @add=qw('"$patch_add"');
my %items; @items{@words} = @words x (1); @items{@add} = @add x (1);
@words = sort {lc($a)."-".$a cmp lc($b)."-".$b} keys %items;
open FILE, q{>}, $new_expect_file; for my $word (@words) { print FILE "$word\n" if $word =~ /\w/; };
close FILE;
system("git", "add", $new_expect_file);
'
}

comment_json=$(mktemp)
curl -L -s -S \
  --header "Content-Type: application/json" \
  "https://api.github.com/repos/AlexRogalskiy/java-patterns/issues/comments/4158570484" > "$comment_json"
comment_body=$(mktemp)
jq -r .body < "$comment_json" > $comment_body
rm $comment_json

patch_remove=$(perl -ne 'next unless s{^</summary>(.*)</details>$}{$1}; print' < "$comment_body")
  

patch_add=$(perl -e '$/=undef;
$_=<>;
s{<details>.*}{}s;
s{^#.*}{};
s{\n##.*}{};
s{(?:^|\n)\s*\*}{}g;
s{\s+}{ }g;
print' < "$comment_body")
  
update_files
rm $comment_body
git add -u

If you see a bunch of garbage

If it relates to a ...

well-formed pattern

See if there's a pattern that would match it.

If not, try writing one and adding it to the patterns.txt file.

Patterns are Perl 5 Regular Expressions - you can test yours before committing to verify it will match your lines.

Note that patterns can't match multiline strings.

binary-ish string

Please add a file path to the excludes.txt file instead of just accepting the garbage.

File paths are Perl 5 Regular Expressions - you can test yours before committing to verify it will match your files.

^ refers to the file's path from the root of the repository, so ^README\.md$ would exclude README.md (on whichever branch you're using).

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

github-actions · 2026-04-06T01:15:04Z

@check-spelling-bot Report

Unrecognized words, please review:

adr
akka
alexrogalskiy
allcontributors
api
arcver
assing
badgen
BETTERCODE
betterjavacode
blogspot
boopickle
bootcamp
brightgreen
bugfixes
buymeacoffee
ceb
codeready
codesandbox
codetriage
committers
configmaps
debezium
demystified
dependabot
devcases
devfile
dirtyreload
DOI
dreamix
dropdown
eab
eap
eisele
embeddableinstantiator
embeddables
facebook
fastai
fastpages
fastparse
firsttimersonly
flushmode
forthebadge
frapsoft
freemarker
FRP
fthomas
gerrit
getquill
GIFs
gitbook
gitflow
githubbox
gitpod
GPLv
Gradle
grunwald
guideslines
gunnar
Hashids
Hasids
helloworld
hitsofcode
hmil
infoworld
insidejava
Instantiator
IPhone
istio
janssen
japgolly
javacodegeeks
javafx
javamelody
javaone
JAVAPROG
jboss
jcliff
jdbc
jdk
jextract
jfr
jfrunit
johan
jpa
JRE
jsonignore
jsp
jsparty
julienrf
Jupyter
kubernetes
latestdoi
LETSTALK
letstalkaboutjava
LGPL
LGPLv
lihaoyi
liskov
logfile
mades
makeapullrequest
markdownguide
markus
matryoshka
mcve
mega
microservices
milessabin
mirrorring
mkdocs
modelviewculture
monix
mtl
mutationquery
namespaces
nestjs
Netflix
newreleases
nullables
nvie
objectmappers
odl
openapi
opengraph
opentelemetry
osslifecycle
oyanglul
pagespeedresultmobile
pasteable
patreon
paypal
PITMP
plumbr
podcast
precog
pufler
pypa
quarkus
quicklens
RANDOMTHOUGHTS
randomthoughtsonjavaprogramming
rce
reactify
readthedocs
reddit
renovatebot
reporoster
repostatus
resteasy
rfm
Rogalskiy
rogalsky
rubyonrails
runtimes
scalacss
scalafiddle
scalafmt
scalajs
scalameta
scalanlp
scalastyle
scalaz
scm
seeyoufarm
selectionquery
softwaremill
sourcegraph
spamming
splunk
sql
squants
squbs
sscce
stakeholders
starchart
sttp
stylegu
suggestig
suzaku
thejavaprogrammer
thorben
tilda
tokei
trufoj
tsb
tsbleo
tscojc
tscqlg
tsd
tsdllr
typelevel
udash
upickle
urt
ussue
violoate
vos
wget
wildfly
wix
workspaces
zenodo
zgc
zio

Previously acknowledged words that are now absent

acl activesupport adaoraul addons aeiou AFile afterall Alexey alfredxing algolia allowfullscreen Anatoliy andreyvit Ankit Anning apps appveyor arengu args ariejan arounds asciinema asdf ashmaroli attr Autobuild autocompletion autogenerated Autolink autoload autoreconf autosave awood awscli backport backtick barcamp baseurl bashrc baz bbatsov bdimcheff bellvat benbalter Beney binstubs bip bitbucket Blogger blogging bonafide Bou breadcrumbs briandoll bridgetown bridgetownrb brightbox brighterplanet buddyworks Bugfix Burela byparker cachegrind calavera callgraphs cartera cavalle CDNs cgi changefreq chango charset Chayoung chcp chdir Cheatsheet Checkoway chmod chown Chrononaut chruby cibuild cimg circleci CJK classname cloudcannon Cloudinary cloudsh CLT CODEOWNERS coderay codeslinger coffeescript colorator commandline commonmark compat compatibilize concat configyml contentblocks CORS Cov CRLFs cron crontab cruft css csv Currin CVE CWD cygwin daringfireball Dassonville datafiles datetime DCEU Debian debuggability defunkt delegators deployer deps dest Devkit devops digitalocean dirs disqus ditaa dnf doclist doctype doeorg dommmel dotfile Dousse downcase downcased duckduckgo duritong Dusseau dysinger ecf editorconfig eduardoboucas Elasticsearch elsif Emacs emails endcapture endcomment endfor endhighlight endif endraw endrender endtablerow Enumerables EOL erb errordocument Espinaco eugenebolshakov evaled exe execjs extensionpack extname exts favicon Fengyun ffi figcaption filesystem Finazzo firstimage FIXME flakey flickr fnmatch fontello forloop formcake formcarry formester formingo formkeep formspark formspree formx Forwardable frameborder freenode frontend frontmatter fsnotify ftp fullstory Gaudino gcc gcnovus gemfile gemset gemspec getform getset getsimpleform gettalong gfm ghp ghpages giraffeacademy githubcom gitignore gitlab gjtorikian globbed globbing google gotcha Goulven gridism GSo gsub gsubbing Hakiri hardcode hashbang hashmap helaili henrik heredoc heroku highlighter hilighting Hoizey hostman hostname htaccess htm htmlproofer httpd httpdocs hyperlinks Iaa ial ico icomoon iconset ified iframe Impl Inlining invokables irc ivey ize jalali jameshamann jamstackthemes jan Jax jayferd jcon jdoe jeffreytse jeffrydegrande Jekpack jekyllbot jekyllconf Jekyllers Jekyllin Jekylling jekyllized jekylllayoutconcept jekyllrb jekyllthemes jemoji jmcglone jneen johnreilly jpg jqr jruby jsonify juretta jwarby Kacper Kasberg kbd Kentico Kewin keycdn kickster Kinnula kiwifruit Kolesky konklone kontent Kotvinsky kramdown Kulig Kwokfu Lamprecht laquo lastmod launchctl launchy laurilehmijoki ldquo learnxinyminutes lexer LGTM libcurl libffi lightgray limjh linenos linkify linux liufengyun livereload localheinz localtime Locher loglevel Losslessly lovin lsi lsquo lstrip lyche macos macromates mademistakes Manmeet markdownify Maroli Marsceill maruku mathjax mathml mattr Maximiliano mchung mdash memberspace Memoize memoized memoizing mentoring mergable Mertcan mertkahyaoglu microdata mimetype mingw minibundle minifier minitest Mittal mixin mkasberg mkd mkdir mkdn mkdown mmistakes modernizr mojombo moncefbelyamani moz mreid msdn mswin MSYS mtime multiline munging Mvvm myblog mycontent mydata mydoc myimage mypage myposts myproject myrepo mysite myvalue myvar myvariable Nadjib nakanishi namespace namespaced navbar nbsp nearlyfreespeech nethack netlify netlifycms Neue nginx ngx nielsenramon nior noifniof nokogiri notextile onclick onebox oneclick onschedule openssl Optim orderofinterpretation orgs OSVDB osx packagecontrol pacman paginator pandoc pantulis params parkr parseable paspagon passthrough pathawks Pathutil paywall pdf Pelykh permalink PHP pinboard Piwigo pjhyett pkill pkpass placeholders planetjekyll plantuml plugin podcasts popen Porcel Posterous postfiles postlayout postmodern prefetching preinstalled prepends Prioritise Probot projectlist pubstorm pufuwozu pwa pwd pygments qrush Quaid rackup Rakefile razorops rbenv rdiscount rdoc rdquo realz rebund redcarpet redcloth redgreen refactor Refheap regen regex regexp remi reqs Responsify revertable rfc rfelix RHEL ridk roadmap rowspan rspec rsquo rstrip rsync rtomayko Rubo rubocop rubychan rubygem rubyinstaller rubyprof Ruparelia Rusiczki rvm ryanflorence saas samplelist samrayner sandboxed Sassc sassify schemastore Schroers Schwartzian scp scrollbar scroller scss scssify sdk SDKROOT sectore seo serverless setenv SFTP shingo shopify shortlog shoulda sieversii sigpipe simplecov Singhaniya siteleaf sitemap SITENAME Slicehost slugified slugify smartforms smartify snipcart somedir sonnym Sonomy sourced sourcemaps spam spotify ssg ssh SSL staticfiles staticman statictastic STDERR stdout Stickyposts strftime stringified Stringify stylesheet subdir subdomain subfolder subfolderitems subnav subpages subpath subpiece subsubfolderitems subthing subvalues subwidget sudo superdirectories superdirs SUSE sverrirs svn swfobject swupd symlink symlinking tablerow tada Taillandier talkyard tbody technicalpickles templating templatize Termux textilize textpattern thead therubyracer Theunissen Thornquest thoughtbot throughs Tidelift timeago timezone titleize TLS tmm tmp toc tok tomjoht toml tomo toolset toshimaru triaged triaging truncatewords tsv ttf Tudou Tumblr Tweetsert txtpen Tyborska tzinfo ubuntu uby ujh ultron undumpable unencode Unescape unescaping unicode uniq upcase uppercasing uri urlset username usr utf utils utime vanpelt Vasovi vendored vercel versioned vertycal Veyor vilcans Vishesh visualstudio vnd vohedge vps vscode vwochnik Walkthroughs wdm We'd webfont webhook webhosting webmentions webrick weekdate whitelist whitelisting wikipedia wildcards willcodeforfoo woff wordpress Workaround wsl xcode xcrun xdg Xhmikos xhtml Xiaoiver XMinutes xmlns xmlschema yajl Yarp Yashu Yastreb Youku youtube yunbox zeropadding Zlatan zlib zoneinfo zpinter Zsh zshrc zypper zzot

To accept these unrecognized words as correct (and remove the previously acknowledged and now absent words), run the following commands

... in a clone of the git@github.com:AlexRogalskiy/java-patterns.git repository
on the renovate/pypi-jinja2-vulnerability branch:

update_files() {
perl -e '
my @expect_files=qw('".github/actions/spelling/expect.txt"');
@ARGV=@expect_files;
my @stale=qw('"$patch_remove"');
my $re=join "|", @stale;
my $suffix=".".time();
my $previous="";
sub maybe_unlink { unlink($_[0]) if $_[0]; }
while (<>) {
if ($ARGV ne $old_argv) { maybe_unlink($previous); $previous="$ARGV$suffix"; rename($ARGV, $previous); open(ARGV_OUT, ">$ARGV"); select(ARGV_OUT); $old_argv = $ARGV; }
next if /^(?:$re)(?:(?:\r|\n)*$| .*)/; print;
}; maybe_unlink($previous);'
perl -e '
my $new_expect_file=".github/actions/spelling/expect.txt";
use File::Path qw(make_path);
use File::Basename qw(dirname);
make_path (dirname($new_expect_file));
open FILE, q{<}, $new_expect_file; chomp(my @words = <FILE>); close FILE;
my @add=qw('"$patch_add"');
my %items; @items{@words} = @words x (1); @items{@add} = @add x (1);
@words = sort {lc($a)."-".$a cmp lc($b)."-".$b} keys %items;
open FILE, q{>}, $new_expect_file; for my $word (@words) { print FILE "$word\n" if $word =~ /\w/; };
close FILE;
system("git", "add", $new_expect_file);
'
}

comment_json=$(mktemp)
curl -L -s -S \
  --header "Content-Type: application/json" \
  "https://api.github.com/repos/AlexRogalskiy/java-patterns/issues/comments/4189894809" > "$comment_json"
comment_body=$(mktemp)
jq -r .body < "$comment_json" > $comment_body
rm $comment_json

patch_remove=$(perl -ne 'next unless s{^</summary>(.*)</details>$}{$1}; print' < "$comment_body")
  

patch_add=$(perl -e '$/=undef;
$_=<>;
s{<details>.*}{}s;
s{^#.*}{};
s{\n##.*}{};
s{(?:^|\n)\s*\*}{}g;
s{\s+}{ }g;
print' < "$comment_body")
  
update_files
rm $comment_body
git add -u

If you see a bunch of garbage

If it relates to a ...

well-formed pattern

See if there's a pattern that would match it.

If not, try writing one and adding it to the patterns.txt file.

Patterns are Perl 5 Regular Expressions - you can test yours before committing to verify it will match your lines.

Note that patterns can't match multiline strings.

binary-ish string

Please add a file path to the excludes.txt file instead of just accepting the garbage.

File paths are Perl 5 Regular Expressions - you can test yours before committing to verify it will match your files.

^ refers to the file's path from the root of the repository, so ^README\.md$ would exclude README.md (on whichever branch you're using).

github-actions

Scan Summary

Tool	Critical	High	Medium	Low	Status
Dependency Scan (universal)	2	12	14	0	❌
Security Audit for Infrastructure	14	92	8	32	❌
Kotlin Security Audit	0	0	0	0	✅
Kotlin Static Analysis	0	0	0	0	✅
Python Source Analyzer	0	0	0	0	✅
Secrets Audit	0	4	0	0	❌
Shell Script Analysis	0	0	0	195	✅

Recommendation

Please review the findings from Code scanning alerts before approving this pull request. You can also configure the build rules or add suppressions to customize this bot 👍

renovate bot added the javascript dependencies label Mar 30, 2026

auto-assign bot requested a review from AlexRogalskiy March 30, 2026 22:32

github-actions bot added the docs label Mar 30, 2026

⬆️ Updates Jinja2 to v3.1.6 [SECURITY]

bbd0c4b

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

renovate bot force-pushed the renovate/pypi-jinja2-vulnerability branch from 76d35de to bbd0c4b Compare April 6, 2026 01:14

github-actions bot reviewed Apr 6, 2026

View reviewed changes

github-actions bot added the security findings label Apr 6, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

⬆️ Updates Jinja2 to v3.1.6 [SECURITY]#3547

⬆️ Updates Jinja2 to v3.1.6 [SECURITY]#3547
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/pypi-jinja2-vulnerability

renovate bot commented Mar 30, 2026

Uh oh!

renovate bot commented Mar 30, 2026

Uh oh!

github-actions bot commented Mar 30, 2026 •

edited

Loading

Uh oh!

github-actions bot commented Apr 6, 2026 •

edited

Loading

Uh oh!

github-actions bot left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Uh oh!

Conversation

renovate bot commented Mar 30, 2026

GitHub Vulnerability Alerts

Release Notes

Configuration

Uh oh!

renovate bot commented Mar 30, 2026

Branch automerge failure

Uh oh!

github-actions bot commented Mar 30, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

@check-spelling-bot Report

Unrecognized words, please review:

Uh oh!

github-actions bot commented Apr 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

@check-spelling-bot Report

Unrecognized words, please review:

Uh oh!

github-actions bot left a comment

Choose a reason for hiding this comment

Scan Summary

Recommendation

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

github-actions bot commented Mar 30, 2026 •

edited

Loading

github-actions bot commented Apr 6, 2026 •

edited

Loading