[Security] Bump jinja2 from 2.7.3 to 2.10.1#16

Bumps [jinja2](https://github.com/pallets/jinja) from 2.7.3 to 2.10.1. **This update includes a security fix.** <details> <summary>Vulnerabilities fixed</summary> <p><em>Sourced from The GitHub Security Advisory Database.</em></p> <blockquote> <p><strong>High severity vulnerability that affects Jinja2 and jinja2</strong> In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.</p> <p>Affected versions: &lt; 2.10.1</p> </blockquote> </details> <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/pallets/jinja/releases">jinja2's releases</a>.</em></p> <blockquote> <h2>2.10.1</h2> <ul> <li>Changes: <a href="https://jinja.palletsprojects.com/en/2.10.x/changelog/#version-2-10-1">https://jinja.palletsprojects.com/en/2.10.x/changelog/#version-2-10-1</a></li> <li>Blog: <a href="https://palletsprojects.com/blog/jinja-2-10-1-released/">https://palletsprojects.com/blog/jinja-2-10-1-released/</a></li> <li>Twitter: <a href="https://twitter.com/PalletsTeam/status/1114605127308992513">https://twitter.com/PalletsTeam/status/1114605127308992513</a></li> </ul> <h2>2.10</h2> <h2>Primary changes</h2> <ul> <li>A <code>NativeEnvironment</code> that renders Python types instead of strings. <a href="http://jinja.pocoo.org/docs/2.10/nativetypes/">http://jinja.pocoo.org/docs/2.10/nativetypes/</a></li> <li>A <code>namespace</code> object that works with <code>{% set %}</code>. This replaces previous hacks for storing state across iterations or scopes. <a href="http://jinja.pocoo.org/docs/2.10/templates/#assignments">http://jinja.pocoo.org/docs/2.10/templates/#assignments</a></li> <li>The <code>loop</code> object now has <code>nextitem</code> and <code>previtem</code> attributes, as well as a <code>changed</code> method, for the common case of outputting something as a value in the loop changes. More complicated cases can use the <code>namespace</code> object. <a href="http://jinja.pocoo.org/docs/2.10/templates/#for">http://jinja.pocoo.org/docs/2.10/templates/#for</a></li> </ul> <h2>Install or upgrade</h2> <p>Install from <a href="https://pypi.python.org/pypi/Jinja2/2.10">PyPI</a> with pip:</p> <pre><code>pip install -U Jinja2 </code></pre> <h2>Changelog</h2> <ul> <li>Added a new extension node called <code>OverlayScope</code> which can be used to create an unoptimized scope that will look up all variables from a derived context.</li> <li>Added an <code>in</code> test that works like the in operator. This can be used in combination with <code>reject</code> and <code>select</code>.</li> <li>Added <code>previtem</code> and <code>nextitem</code> to loop contexts, providing access to the previous/next item in the loop. If such an item does not exist, the value is undefined.</li> <li>Added <code>changed(*values)</code> to loop contexts, providing an easy way of checking whether a value has changed since the last iteration (or rather since the last call of the method)</li> <li>Added a <code>namespace</code> function that creates a special object which allows attribute assignment using the <code>set</code> tag. This can be used to carry data across scopes, e.g. from a loop body to code that comes after the loop.</li> <li>Added a <code>trimmed</code> modifier to <code>{% trans %}</code> to strip linebreaks and surrounding whitespace. Also added a new policy to enable this for all <code>trans</code> blocks.</li> <li>The <code>random</code> filter is no longer incorrectly constant folded and will produce a new random choice each time the template is rendered. (<a href="https://github-redirect.dependabot.com/pallets/jinja/issues/478">#478</a>)</li> <li>Added a <code>unique</code> filter. (<a href="https://github-redirect.dependabot.com/pallets/jinja/issues/469">#469</a>)</li> <li>Added <code>min</code> and <code>max</code> filters. (<a href="https://github-redirect.dependabot.com/pallets/jinja/issues/475">#475</a>)</li> <li>Added tests for all comparison operators: <code>eq</code>, <code>ne</code>, <code>lt</code>, <code>le</code>, <code>gt</code>, <code>ge</code>. (<a href="https://github-redirect.dependabot.com/pallets/jinja/issues/665">#665</a>)</li> <li><code>import</code> statement cannot end with a trailing comma. (<a href="https://github-redirect.dependabot.com/pallets/jinja/issues/617">#617</a>, <a href="https://github-redirect.dependabot.com/pallets/jinja/issues/618">#618</a>)</li> <li><code>indent</code> filter will not indent blank lines by default. (<a href="https://github-redirect.dependabot.com/pallets/jinja/issues/685">#685</a>)</li> <li>Add <code>reverse</code> argument for <code>dictsort</code> filter. (<a href="https://github-redirect.dependabot.com/pallets/jinja/issues/692">#692</a>)</li> <li>Add a <code>NativeEnvironment</code> that renders templates to native Python types instead of strings. (<a href="https://github-redirect.dependabot.com/pallets/jinja/issues/708">#708</a>)</li> <li>Added filter support to the block <code>set</code> tag. (<a href="https://github-redirect.dependabot.com/pallets/jinja/issues/489">#489</a>)</li> <li><code>tojson</code> filter marks output as safe to match documented behavior. (<a href="https://github-redirect.dependabot.com/pallets/jinja/issues/718">#718</a>)</li> <li>Resolved a bug where getting debug locals for tracebacks could modify template context.</li> <li>Fixed a bug where having many <code>{% elif ... %}</code> blocks resulted in a &quot;too many levels of indentation&quot; error. These blocks now compile to native <code>elif ..:</code> instead of <code>else: if ..:</code> (<a href="https://github-redirect.dependabot.com/pallets/jinja/issues/759">#759</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pallets/jinja/blob/master/CHANGES.rst">jinja2's changelog</a>.</em></p> <blockquote> <h1>Version 2.10.1</h1> <p>Released 2019-04-06</p> <ul> <li><code>SandboxedEnvironment</code> securely handles <code>str.format_map</code> in order to prevent code execution through untrusted format strings. The sandbox already handled <code>str.format</code>.</li> </ul> <h1>Version 2.10</h1> <p>Released 2017-11-08</p> <ul> <li>Added a new extension node called <code>OverlayScope</code> which can be used to create an unoptimized scope that will look up all variables from a derived context.</li> <li>Added an <code>in</code> test that works like the in operator. This can be used in combination with <code>reject</code> and <code>select</code>.</li> <li>Added <code>previtem</code> and <code>nextitem</code> to loop contexts, providing access to the previous/next item in the loop. If such an item does not exist, the value is undefined.</li> <li>Added <code>changed(*values)</code> to loop contexts, providing an easy way of checking whether a value has changed since the last iteration (or rather since the last call of the method)</li> <li>Added a <code>namespace</code> function that creates a special object which allows attribute assignment using the <code>set</code> tag. This can be used to carry data across scopes, e.g. from a loop body to code that comes after the loop.</li> <li>Added a <code>trimmed</code> modifier to <code>{% trans %}</code> to strip linebreaks and surrounding whitespace. Also added a new policy to enable this for all <code>trans</code> blocks.</li> <li>The <code>random</code> filter is no longer incorrectly constant folded and will produce a new random choice each time the template is rendered. 478</li> <li>Added a <code>unique</code> filter. 469</li> <li>Added <code>min</code> and <code>max</code> filters. 475</li> <li>Added tests for all comparison operators: <code>eq</code>, <code>ne</code>, <code>lt</code>, <code>le</code>, <code>gt</code>, <code>ge</code>. 665</li> <li><code>import</code> statement cannot end with a trailing comma. 617, 618</li> <li><code>indent</code> filter will not indent blank lines by default. 685</li> <li>Add <code>reverse</code> argument for <code>dictsort</code> filter. 692</li> <li>Add a <code>NativeEnvironment</code> that renders templates to native Python types instead of strings. 708</li> <li>Added filter support to the block <code>set</code> tag. 489</li> <li><code>tojson</code> filter marks output as safe to match documented behavior. 718</li> <li>Resolved a bug where getting debug locals for tracebacks could modify template context.</li> <li>Fixed a bug where having many <code>{% elif ... %}</code> blocks resulted in a &quot;too many levels of indentation&quot; error. These blocks now compile to native <code>elif ..:</code> instead of <code>else: if ..:</code> 759</li> </ul> <h1>Version 2.9.6</h1> <p>Released 2017-04-03</p> <ul> <li>Fixed custom context behavior in fast resolve mode 675</li> </ul> <h1>Version 2.9.5</h1> <p>Released 2017-01-28</p> <ul> <li>Restored the original repr of the internal <code>_GroupTuple</code> because this caused issues with ansible and it was an unintended change. 654</li> <li>Added back support for custom contexts that override the old <code>resolve</code> method since it was hard for people to spot that this could cause a regression.</li> <li>Correctly use the buffer for the else block of for loops. This caused invalid syntax errors to be caused on 2.x and completely wrong behavior on Python 3 669</li> <li>Resolve an issue where the <code>{% extends %}</code> tag could not be used with async environments. 668</li> <li>Reduce memory footprint slightly by reducing our unicode database dump we use for identifier matching on Python 3 666</li> <li>Fixed autoescaping not working for macros in async compilation mode. 671</li> </ul> </tr></table> ... (truncated) </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pallets/jinja/commit/c4c4088945a2c12535f539be7f5453b9ca94666c"><code>c4c4088</code></a> release 2.10.1</li> <li><a href="https://github.com/pallets/jinja/commit/a2a6c930bcca591a25d2b316fcfd2d6793897b26"><code>a2a6c93</code></a> sandbox str.format_map</li> <li><a href="https://github.com/pallets/jinja/commit/78d2f672149e5b9b7d539c575d2c1bfc12db67a9"><code>78d2f67</code></a> Bump version number to 2.10</li> <li><a href="https://github.com/pallets/jinja/commit/d9d3fc32f0b7584af5c371639bc7882449bb6f6d"><code>d9d3fc3</code></a> clean up MANIFEST.in</li> <li><a href="https://github.com/pallets/jinja/commit/072cdf97fa2899efe1d12715edf19706b6425fb5"><code>072cdf9</code></a> Support filters in set block</li> <li><a href="https://github.com/pallets/jinja/commit/d17c7dbbf003c2561d2599383a77027089fe15fb"><code>d17c7db</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pallets/jinja/issues/708">#708</a> from jctanner/NATIVE_TYPES</li> <li><a href="https://github.com/pallets/jinja/commit/6a7a263bc0ff6ea68ff3651d166f4077ed03c3c8"><code>6a7a263</code></a> Merge branch 'master' into NATIVE_TYPES</li> <li><a href="https://github.com/pallets/jinja/commit/31f92b5947e9dba8ba997dd93921cbf1538bb79f"><code>31f92b5</code></a> Fix typo in docstring (<a href="https://github-redirect.dependabot.com/pallets/jinja/issues/779">#779</a>)</li> <li><a href="https://github.com/pallets/jinja/commit/c3147611ec6bbfd8b6e42637c73a68e29de1e2e7"><code>c314761</code></a> codecov needs argparse on 2.6</li> <li><a href="https://github.com/pallets/jinja/commit/4750cf7c69c0ce2a0c44cc68c2fc06b984774e5e"><code>4750cf7</code></a> Minor docstring grammar fix (<a href="https://github-redirect.dependabot.com/pallets/jinja/issues/772">#772</a>)</li> <li>Additional commits viewable in <a href="https://github.com/pallets/jinja/compare/2.7.3...2.10.1">compare view</a></li> </ul> </details> <br /> [](https://dependabot.com/compatibility-score/?dependency-name=jinja2&package-manager=pip&previous-version=2.7.3&new-version=2.10.1) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- **Note:** This repo was added to Dependabot recently, so you'll receive a maximum of 5 PRs for your first few update runs. Once an update run creates fewer than 5 PRs we'll remove that limit. You can always request more updates by clicking `Bump now` in your [Dependabot dashboard](https://app.dependabot.com). <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) </details>