Update dependency nunjucks to v3

[mend-for-github-com]

This PR contains the following updates:

Package	Type	Update	Change
nunjucks	devDependencies	major	~2.1.0 -> ~3.2.1

By merging this PR, the below vulnerabilities will be automatically resolved:

	Severity	CVSS Score	CVE
	High	7.5	CVE-2020-28469
	Medium	6.1	CVE-2016-10547

---

Release Notes

mozilla/nunjucks

v3.2.1

Compare Source

• Replace yargs with commander to reduce number of dependencies. Merge of
  #​1253. Thanks
  AlynxZhou.
• Update optional dependency chokidar from ^2.0.0 to ^3.3.0. Merge of
  #​1254. Thanks
  eklingen.
• Prevent optional dependency Chokidar from loading when not watching. Merge
  of #​1250. Thanks
  eklingen.

v3.2.0

Compare Source

• Adds NodeResolveLoader,
  a Loader that loads templates using node's
  require.resolve.
  Fixes #​1175.
• Emit 'load' events on Environment instances, to allow runtime dependency
  tracking. Fixes #​1153.

v3.1.7

Compare Source

• Fix bug where exceptions were silently swallowed with synchronous render.
  Fixes #​678,
  #​1116,
  #​1127, and
  #​1164

• Removes deprecated postinstall-build package in favor of
  npm prepare.
  Merge of #​1172.
  Fixes #​1167.

  • Note: this means that npm@5 or later is required to install nunjucks
    directly from github.

v3.1.6

Compare Source

No code changes; fixed npm packaging issue.

v3.1.4

Compare Source

• Fix engine version for Node v11.1.0
• Fix "Unexpected token" error for U+2028 unicode newline. Fixes #​126 and #​736

v3.1.3

Compare Source

• Add forceescape filter. Fixes #​782

• Fix regression that prevented template errors from reporting line and column number.
  Fixes #​1087 and
  #​1095.

• Fix "Invalid type: Is" error for {% if value is defined %}. Fixes
  #​1110

• Formally drop support for node v4 (the upgrade to babel 7 in 3.1.0 made the
  build process incompatible with node < 6.9.0).

v3.1.2

Compare Source

• Fix regression to make chokidar an optional dependency again. Fixes
  #​1073
• Fix issue when running npm install nunjucks with the --no-bin-links flag
• Fix regression that broke template caching. Fixes
  #​1074

v3.1.0

Compare Source

• Support nunjucks.installJinjaCompat() with slim build. Fixes
  #​1019

• Fix calling render callback twice when a conditional import throws an error.
  Solves #​1029

• Support objects created with Object.create(null). fixes #​468

• Support ESNext iterators, using Array.from. Merge of
  #​1058

v3.0.1

Compare Source

• Fix handling methods and attributes of static arrays, objects and primitives.
  Solves the issue #​937

• Add support for python-style array slices with Jinja compat enabled.
  Fixes #​188; merge of
  #​976.

• Fix call blocks having access to their parent scope. Fixes
  #​906; merge of
  #​994.

• Fix a bug that caused capturing block tags (e.g. set/endset,
  filter/endfilter) to write to the global buffer rather than capturing
  their contents. Fixes
  #​914 and
  #​972; merge of
  #​990. Thanks Noah
  Lange.

v3.0.0

Compare Source

• Allow including many templates without reaching recursion limits. Merge of
  #​787. Thanks Gleb Khudyakov.

• Allow explicitly setting null (aka none) as the value of a variable;
  don't ignore that value and look on up the frame stack or context. Fixes
  #​478. Thanks Jonny Gerig
  Meyer for the report.

• Execute blocks in a child frame that can't write to its parent. This means
  that vars set inside blocks will not leak outside of the block, base
  templates can no longer see vars set in templates that inherit them, and
  super() can no longer set vars in its calling scope. Fixes the inheritance
  portion of #​561, which
  fully closes that issue. Thanks legutierr for the report.

• Prevent macros from seeing or affecting their calling scope. Merge of
  #​667.

• Fix handling of macro arg with default value which shares a name with another
  macro. Merge of #​791.

• Add support for the spaces parameter in the dump template filter.
  Merge of #​868.
  Thanks Jesse Eikema

• Add verbatim as an alias of raw for compatibility with Twig.
  Merge of #​874.

• Add new nl2br filter. Thanks Marc-Aurèle Darche

• Add support for python's list.append with Jinja compat enabled. Thanks
  Conor Flannigan.

• Add variables whitespace control.

v2.5.2

Compare Source

• Call .toString in safe filter.
  Merge of #​849.

v2.5.1

Compare Source

• Fix undefined and null behavior in escape and safe filter.
  Merge of #​843.

v2.5.0

Compare Source

• Add elseif as an alias of elif for parity with Twig. Thanks kswedberg.
  Merge of #​826.

• Add nunjucks env to express app settings as nunjucksEnv.
  Merge of #​829.

• Add support for finding an object's "length" in length filter.
  Merge of #​813.

• Ensure that precompiling on Windows still outputs POSIX-style path
  separators. Merge of #​761.

• Add support for strict type check comparisons (=== and !==). Thanks
  oughter. Merge of #​746.

• Allow full expressions (incl. filters) in import and from tags. Thanks legutierr.
  Merge of #​710.

• OS agnostic file paths in precompile. Merge of #​825.

v2.4.3

Compare Source

• Fix potential cast-related XSS vulnerability in autoescape mode, and with escape filter.
  Thanks Matt Austin for the report and Thomas Hunkapiller for the fix.
  #​836

v2.4.2

Compare Source

• Fix use of in operator with strings. Fixes
  #​714. Thanks Zubrik for the
  report.

• Support ES2015 Map and Set in length filter. Merge of
  #​705. Thanks ricordisamoa.

• Remove truncation of long function names in error messages. Thanks Daniel
  Bendavid. Merge of #​702.

v2.4.1

Compare Source

• Don't double-escape. Thanks legutierr. Merge of
  #​701.

• Prevent filter.escape from escaping SafeString. Thanks atian25. Merge of
  #​623.

• Throw an error if a block is defined multiple times. Refs
  #​696.

• Officially recommend the .njk extension. Thanks David Kebler. Merge of
  #​691.

• Allow block-set to wrap an inheritance block. Unreported; fixed as a side
  effect of the fix for #​576.

• Fix filter tag with non-trivial contents. Thanks Stefan Cruz and Fabien
  Franzen for report and investigation, Jan Oopkaup for failing tests. Fixes
  #​576.

v2.4.0

Compare Source

• Allow retrieving boolean-false as a global. Thanks Marius Büscher. Merge of
  #​694.

• Don't automatically convert any for-loop that has an include statement into
  an async loop. Reverts
  7d4716f4fd, re-opens
  #​372, fixes
  #​527. Thanks Tom Delmas for
  the report.

• Switch from Optimist to Yargs for argument-parsing. Thanks Bogdan
  Chadkin. Merge of #​672.

• Prevent includes from writing to their including scope. Merge of
  #​667 (only partially
  backported to 2.x; macro var visibility not backported).

• Fix handling of dev environment option, to get full tracebacks on errors
  (including nunjucks internals). Thanks Tobias Petry and Chandrasekhar Ambula
  V for the report, Aleksandr Motsjonov for draft patch.

• Support using in operator to search in both arrays and objects,
  and it will throw an error for other data types.
  Fix #​659.
  Thanks Alex Mayfield for report and test, Ouyang Yadong for fix.
  Merge of #​661.

• Add support for {% set %} block assignments as in jinja2. Thanks Daniele
  Rapagnani. Merge of #​656

• Fix {% set %} scoping within macros.
  Fixes #​577 and
  the macro portion of #​561.
  Thanks Ouyang Yadong. Merge of #​653.

• Add support for named endblock (e.g. {% endblock foo %}). Thanks
  ricordisamoa. Merge of #​641.

• Fix range global with zero as stop-value. Thanks Thomas Hunkapiller. Merge
  of #​638.

• Fix a bug in urlize that collapsed whitespace. Thanks Paulo Bu. Merge of
  #​637.

• Add sum filter. Thanks Pablo Matías Lazo. Merge of
  #​629.

• Don't suppress errors inside {% if %} tags. Thanks Artemy Tregubenko for
  report and test, Ouyang Yadong for fix. Merge of
  #​634.

• Allow whitespace control on comment blocks, too. Thanks Ouyang Yadong. Merge
  of #​632.

• Fix whitespace control around nested tags/variables/comments. Thanks Ouyang
  Yadong. Merge of #​631.

v2.3.0

Compare Source

• Return null from WebLoader on missing template instead of throwing an
  error, for consistency with other loaders. This allows WebLoader to support
  the new ignore missing flag on the include tag. If ignore missing is
  not set, a generic "template not found" error will still be thrown, just like
  for any other loader. Ajax errors other than 404 will still cause WebLoader
  to throw an error directly.

• Add preserve-linebreaks option to striptags filter. Thanks Ivan
  Kleshnin. Merge of #​619.

v2.2.0

Compare Source

• Add striptags filter. Thanks Anthony Giniers. Merge of
  #​589.
• Allow compiled templates to be imported, included and extended. Thanks Luis
  Gutierrez-Sheris. Merge of
  #​581.
• Fix issue with different nunjucks environments sharing same globals. Each
  environment is now independent. Thanks Paul Pechin. Merge of
  #​574.
• Add negative steps support for range function. Thanks Nikita Mostovoy. Merge
  of #​575.
• Remove deprecation warning when using the default filter without specifying
  a third argument. Merge of
  #​567.
• Add support for chaining of addGlobal, addFilter, etc. Thanks Rob Graeber. Merge of
  #​537
• Fix error propagation. Thanks Tom Delmas. Merge of
  #​534.
• trimBlocks now also trims windows style line endings. Thanks Magnus Tovslid. Merge of
  #​548
• include now supports an option to suppress errors if the template does not
  exist. Thanks Mathias Nestler. Merge of
  #​559

---

• If you want to rebase/retry this PR, click this checkbox.

[mend-for-github-com]

Autoclosing Skipped

This PR has been flagged for autoclosing, however it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.