[Security] Bump jinja2 from 2.7.2 to 2.10.1 in /requirements

[dependabot-preview]

Bumps jinja2 from 2.7.2 to 2.10.1. This update includes security fixes.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

High severity vulnerability that affects Jinja2 and jinja2
In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.

Affected versions: < 2.10.1

Release notes

Sourced from jinja2's releases.

2.10.1

• Changes: https://github.com/pallets/jinja/blob/master/CHANGES.rst#version-2101
• Blog: https://palletsprojects.com/blog/jinja-2-10-1-released/
• Twitter: https://twitter.com/PalletsTeam/status/1114605127308992513

2.10

Primary changes

• A NativeEnvironment that renders Python types instead of strings.
  http://jinja.pocoo.org/docs/2.10/nativetypes/
• A namespace object that works with {% set %}. This replaces
  previous hacks for storing state across iterations or scopes.
  http://jinja.pocoo.org/docs/2.10/templates/#assignments
• The loop object now has nextitem and previtem attributes, as
  well as a changed method, for the common case of outputting
  something as a value in the loop changes. More complicated cases can
  use the namespace object.
  http://jinja.pocoo.org/docs/2.10/templates/#for

Install or upgrade

Install from PyPI with pip:

pip install -U Jinja2

Changelog

• Added a new extension node called OverlayScope which can be used to create an unoptimized scope that will look up all variables from a derived context.
• Added an in test that works like the in operator. This can be used in combination with reject and select.
• Added previtem and nextitem to loop contexts, providing access to the previous/next item in the loop. If such an item does not exist, the value is undefined.
• Added changed(*values) to loop contexts, providing an easy way of checking whether a value has changed since the last iteration (or rather since the last call of the method)
• Added a namespace function that creates a special object which allows attribute assignment using the set tag. This can be used to carry data across scopes, e.g. from a loop body to code that comes after the loop.
• Added a trimmed modifier to {% trans %} to strip linebreaks and surrounding whitespace. Also added a new policy to enable this for all trans blocks.
• The random filter is no longer incorrectly constant folded and will produce a new random choice each time the template is rendered. (#478)
• Added a unique filter. (#469)
• Added min and max filters. (#475)
• Added tests for all comparison operators: eq, ne, lt, le, gt, ge. (#665)
• import statement cannot end with a trailing comma. (#617, #618)
• indent filter will not indent blank lines by default. (#685)
• Add reverse argument for dictsort filter. (#692)
• Add a NativeEnvironment that renders templates to native Python types instead of strings. (#708)
• Added filter support to the block set tag. (#489)
• tojson filter marks output as safe to match documented behavior. (#718)
• Resolved a bug where getting debug locals for tracebacks could modify template context.
• Fixed a bug where having many {% elif ... %} blocks resulted in a "too many levels of indentation" error. These blocks now compile to native elif ..: instead of else: if ..: (#759)

Changelog

Sourced from jinja2's changelog.

Commits

• c4c4088 release 2.10.1
• a2a6c93 sandbox str.format_map
• 78d2f67 Bump version number to 2.10
• d9d3fc3 clean up MANIFEST.in
• 072cdf9 Support filters in set block
• d17c7db Merge pull request #708 from jctanner/NATIVE_TYPES
• 6a7a263 Merge branch 'master' into NATIVE_TYPES
• 31f92b5 Fix typo in docstring (#779)
• c314761 codecov needs argparse on 2.6
• 4750cf7 Minor docstring grammar fix (#772)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Note: This repo was added to Dependabot recently, so you'll receive a maximum of 5 PRs for your first few update runs. Once an update run creates fewer than 5 PRs we'll remove that limit.

You can always request more updates by clicking Bump now in your Dependabot dashboard.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.

[dependabot-preview]

Superseded by #39.