Use use the packaging requirements as version constraints to all other
requirements files which should include Salt's base requirements.
The nox sessions now don't install the base requirements since the "top"
requirements file includes the base requirements.
All of this, ensuring that the same versions are used on all of them.
Jinja2
------
CVE-2020-28493
moderate severity
Vulnerable versions: < 2.11.3
Patched version: 2.11.3
This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDOS vulnerability of the regex is mainly due to the sub-pattern [a-zA-Z0-9.-]+.[a-zA-Z0-9.-]+ This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.
lxml
----
CVE-2021-28957
moderate severity
Vulnerable versions: < 4.6.3
Patched version: 4.6.3
An XSS vulnerability was discovered in the python lxml clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.
