Can't update jinja2 - version hardcoded

[eugene-nikolaev]

Hello!

Describe the bug

Tried to resolve a security alert:
GHSA-g3rq-g295-4j3m
But jinja2 version is harcoded here
https://github.com/fishtown-analytics/dbt/blob/77c10713a325d2bee91d1822951ce5d91ccc3278/core/setup.py#L62
So I was not able to bump up the version within my project.

Steps To Reproduce

• I've just set this in Pipfile:

[packages]
jinja2 = ">=2.11.3"

Expected behavior

jinja2 to be upgraded

Screenshots and log output

not applicable

System information

Which database are you using dbt with?

• postgres
• redshift
• bigquery
• snowflake
• other (specify: not relevant)

The output of dbt --version:

0.19.1-rc1

But basically it was merged in master in: 626f835
so not only

The operating system you're using:
MacOS

The output of python --version:
Python 3.7.7

Additional context

Add any other context about the problem here.

[jtcohen6]

Hey @eugene-nikolaev, dbt started tightly pinning Jinja2 because of a breaking change in a patch release last year (April 2020, see 626f835 in #2318).

Thanks for calling out the security advisory. We currently intend to bump the Jinja2 pin (#3077), along with all other pinned dependencies, before the next minor version of dbt.

[jtcohen6]

Resolved by #3077