chore(dependencies): bumping jinja2

[rusackas]

SUMMARY

Just another opportunistic bump. Fixes include:

Fix compiler error when checking if required blocks in parent templates are empty. #1858

xmlattr filter does not allow keys with spaces. GHSA-h5c8-rqwp-cp95

Make error messages stemming from invalid nesting of {% trans %} blocks more helpful. #1918

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

TESTING INSTRUCTIONS

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration (follow approval process in SIP-59)
  • Migration is atomic, supports rollback & is backwards-compatible
  • Confirm DB migration upgrade and downgrade tested
  • Runtime estimates and downtime expectations provided
• Introduces new feature or API
• Removes existing feature or API

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (1f6c270) 67.22% compared to head (6837b4e) 67.22%.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #26794      +/-   ##
==========================================
- Coverage   67.22%   67.22%   -0.01%     
==========================================
  Files        1895     1895              
  Lines       74211    74211              
  Branches     8245     8245              
==========================================
- Hits        49892    49891       -1     
- Misses      22247    22248       +1     
  Partials     2072     2072              

Flag	Coverage Δ
mysql	77.96% <ø> (+0.02%)	⬆️
postgres	78.06% <ø> (+0.01%)	⬆️
python	78.20% <ø> (-0.01%)	⬇️
sqlite	77.64% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[mistercrunch]

Oh, I approved earlier but changed my mind after seeing now that you skip the what appears to be dysfunctional pip-compile-multi step (super slow, maybe never-ending?), wondering if that could lead to a future regression when re-generating. As far as I'm guessing, pip-compile does not look into the .txt file for input. I'd make sure to add the right rule in the corresponding .in file to prevent regression. Also that tool does do some hash checking and may fail for the next person...

[villebro]

@rusackas @mistercrunch I ran pip-compile-multi -P jinja2 on master and got this:

 geopy==2.2.0
     # via apache-superset
 greenlet==2.0.2
-    # via
-    #   shillelagh
-    #   sqlalchemy
+    # via shillelagh
 gunicorn==21.2.0
     # via apache-superset
 hashids==1.3.1
@@ -157,10 +155,7 @@ idna==3.2
     #   email-validator
     #   requests
 importlib-metadata==6.6.0
-    # via
-    #   apache-superset
-    #   flask
-    #   shillelagh
+    # via apache-superset
 importlib-resources==5.12.0
     # via limits
 isodate==0.6.0
@@ -169,7 +164,7 @@ itsdangerous==2.1.2
     # via
     #   flask
     #   flask-wtf
-jinja2==3.1.2
+jinja2==3.1.3
     # via
     #   flask
     #   flask-babel
@@ -269,6 +264,7 @@ python-dateutil==2.8.2
     # via
     #   alembic
     #   apache-superset
+    #   celery
     #   croniter
     #   flask-appbuilder
     #   holidays
@@ -283,7 +279,6 @@ python-geohash==0.8.5
 pytz==2021.3
     # via
     #   babel
-    #   celery
     #   flask-babel
     #   pandas
 pyyaml==6.0.1
@@ -348,7 +343,9 @@ typing-extensions==4.4.0
     #   limits
     #   shillelagh
 tzdata==2023.3
-    # via pandas
+    # via
+    #   celery
+    #   pandas
 url-normalize==1.4.3
     # via requests-cache
 urllib3==1.26.6
@@ -383,9 +380,7 @@ wtforms-json==0.3.5
 xlsxwriter==3.0.7
     # via apache-superset
 zipp==3.15.0
-    # via
-    #   importlib-metadata
-    #   importlib-resources
+    # via importlib-metadata

So the jinja2 bump is ok, but the lock files do need a pip-compile-multi --no-upgrade. I can open a PR to clean them up after this is merged.

[rusackas]

ip-compile-multi --no-upgrade

This is exactly what I was trying to figure out how to do... you're a saint :)

Follow-up question: with frontend stuff, there are GitHub actions that run npm install and if the package lock is busted, CI fails. It seems like this PR shouldn't be mergeable as-is, but I'm not sure the right way to fix that.

[rusackas]

@mistercrunch @villebro am I doing this right?

Ran pip-compile-multi --no-upgrade, and committed everything except where it replaced . with my local path to Superset.

[michael-s-molina]

I wonder if we should run pip-compile-multi --no-upgrade on CI when dependency files change, and fail if there are differences between the output and what's being committed.

[rusackas]

I wonder if we should run pip-compile-multi --no-upgrade on CI when dependency files change, and fail if there are differences between the output and what's being committed.

Yep... we should probably have one that does this for all the "this shouldn't change" jobs — translations, npm, pip, maps, etc, all alongside the pre-commit check.

[mistercrunch]

LGTM apart from the conflicts. Am I the only for which this takes forever? Any --verbose flag or other flags to accelerate this. It's good to know about the -P thought, hopefully it scopes down the work and make execution faster.