Update dependency Jinja2 to v3.1.5 [SECURITY] (#1751)

This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [Jinja2](https://redirect.github.com/pallets/jinja)
([changelog](https://jinja.palletsprojects.com/changes/)) | patch |
`==3.1.4` -> `==3.1.5` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Jinja has a sandbox breakout through malicious filenames
[CVE-2024-56201](https://nvd.nist.gov/vuln/detail/CVE-2024-56201) /
[GHSA-gmj6-6f8f-6699](https://redirect.github.com/advisories/GHSA-gmj6-6f8f-6699)

<details>
<summary>More information</summary>

#### Details
A bug in the Jinja compiler allows an attacker that controls both the
content and filename of a template to execute arbitrary Python code,
regardless of if Jinja's sandbox is used.

To exploit the vulnerability, an attacker needs to control both the
filename and the contents of a template. Whether that is the case
depends on the type of application using Jinja. This vulnerability
impacts users of applications which execute untrusted templates where
the template author can also choose the template filename.

#### Severity
- CVSS Score: Unknown
- Vector String:
`CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N`

#### References
-
[https://github.com/pallets/jinja/security/advisories/GHSA-gmj6-6f8f-6699](https://redirect.github.com/pallets/jinja/security/advisories/GHSA-gmj6-6f8f-6699)
-
[https://nvd.nist.gov/vuln/detail/CVE-2024-56201](https://nvd.nist.gov/vuln/detail/CVE-2024-56201)
-
[https://github.com/pallets/jinja/issues/1792](https://redirect.github.com/pallets/jinja/issues/1792)
-
[https://github.com/pallets/jinja/commit/767b23617628419ae3709ccfb02f9602ae9fe51f](https://redirect.github.com/pallets/jinja/commit/767b23617628419ae3709ccfb02f9602ae9fe51f)
-
[https://github.com/pallets/jinja](https://redirect.github.com/pallets/jinja)
-
[https://github.com/pallets/jinja/releases/tag/3.1.5](https://redirect.github.com/pallets/jinja/releases/tag/3.1.5)

This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-gmj6-6f8f-6699) and the [GitHub
Advisory Database](https://redirect.github.com/github/advisory-database)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Jinja has a sandbox breakout through indirect reference to format
method
[CVE-2024-56326](https://nvd.nist.gov/vuln/detail/CVE-2024-56326) /
[GHSA-q2x7-8rv6-6q7h](https://redirect.github.com/advisories/GHSA-q2x7-8rv6-6q7h)

<details>
<summary>More information</summary>

#### Details
An oversight in how the Jinja sandboxed environment detects calls to
`str.format` allows an attacker that controls the content of a template
to execute arbitrary Python code.

To exploit the vulnerability, an attacker needs to control the content
of a template. Whether that is the case depends on the type of
application using Jinja. This vulnerability impacts users of
applications which execute untrusted templates.

Jinja's sandbox does catch calls to `str.format` and ensures they don't
escape the sandbox. However, it's possible to store a reference to a
malicious string's `format` method, then pass that to a filter that
calls it. No such filters are built-in to Jinja, but could be present
through custom filters in an application. After the fix, such indirect
calls are also handled by the sandbox.

#### Severity
- CVSS Score: Unknown
- Vector String:
`CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N`

#### References
-
[https://github.com/pallets/jinja/security/advisories/GHSA-q2x7-8rv6-6q7h](https://redirect.github.com/pallets/jinja/security/advisories/GHSA-q2x7-8rv6-6q7h)
-
[https://nvd.nist.gov/vuln/detail/CVE-2024-56326](https://nvd.nist.gov/vuln/detail/CVE-2024-56326)
-
[https://github.com/pallets/jinja/commit/48b0687e05a5466a91cd5812d604fa37ad0943b4](https://redirect.github.com/pallets/jinja/commit/48b0687e05a5466a91cd5812d604fa37ad0943b4)
-
[https://github.com/pallets/jinja](https://redirect.github.com/pallets/jinja)
-
[https://github.com/pallets/jinja/releases/tag/3.1.5](https://redirect.github.com/pallets/jinja/releases/tag/3.1.5)

This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-q2x7-8rv6-6q7h) and the [GitHub
Advisory Database](https://redirect.github.com/github/advisory-database)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>pallets/jinja (Jinja2)</summary>

###
[`v3.1.5`](https://redirect.github.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-315)

[Compare
Source](https://redirect.github.com/pallets/jinja/compare/3.1.4...3.1.5)

Released 2024-12-21

- The sandboxed environment handles indirect calls to `str.format`, such
as
    by passing a stored reference to a filter that calls its argument.
    :ghsa:`q2x7-8rv6-6q7h`
- Escape template name before formatting it into error messages, to
avoid
    issues with names that contain f-string syntax.
    :issue:`1792`, :ghsa:`gmj6-6f8f-6699`
-   Sandbox does not allow `clear` and `pop` on known mutable sequence
    types. :issue:`2032`
-   Calling sync `render` for an async template uses `asyncio.run`.
    :pr:`1952`
-   Avoid unclosed `auto_aiter` warnings. :pr:`1960`
-   Return an `aclose`-able `AsyncGenerator` from
    `Template.generate_async`. :pr:`1960`
-   Avoid leaving `root_render_func()` unclosed in
    `Template.generate_async`. :pr:`1960`
- Avoid leaving async generators unclosed in blocks, includes and
extends.
    :pr:`1960`
- The runtime uses the correct `concat` function for the current
environment
    when calling block references. :issue:`1701`
-   Make `|unique` async-aware, allowing it to be used after another
    async-aware filter. :issue:`1781`
-   `|int` filter handles `OverflowError` from scientific notation.
    :issue:`1921`
- Make compiling deterministic for tuple unpacking in a `{% set ... %}`
    call. :issue:`2021`
- Fix dunder protocol (`copy`/`pickle`/etc) interaction with `Undefined`
    objects. :issue:`2025`
-   Fix `copy`/`pickle` support for the internal `missing` object.
    :issue:`2027`
-   `Environment.overlay(enable_async)` is applied correctly. :pr:`2061`
- The error message from `FileSystemLoader` includes the paths that were
    searched. :issue:`1661`
- `PackageLoader` shows a clearer error message when the package does
not
    contain the templates directory. :issue:`1705`
-   Improve annotations for methods returning copies. :pr:`1880`
-   `urlize` does not add `mailto:` to values like `@a@b`. :pr:`1870`
- Tests decorated with `@pass_context`` can be used with the ``|select``
    filter. :issue:`1624\`
- Using `set` for multiple assignment (`a, b = 1, 2`) does not fail when
the
    target is a namespace attribute. :issue:`1413`
-   Using `set` in all branches of `{% if %}{% elif %}{% else %}` blocks
    does not cause the variable to be considered initially undefined.
    :issue:`1253`

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - "every weekday"
(UTC).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Renovate
Bot](https://redirect.github.com/renovatebot/renovate).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xOS4wIiwidXBkYXRlZEluVmVyIjoiMzkuMTkuMCIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiLCJpbXBhY3Qvbm8tY2hhbmdlbG9nLXJlcXVpcmVkIl19-->

Co-authored-by: pulumi-renovate[bot] <189166143+pulumi-renovate[bot]@users.noreply.github.com>

aws-ts-stackreference-architecture/application/src/backend/requirements.txt

@@ -2,7 +2,7 @@ Click==7.0
 dnspython==2.6.1
 Flask==2.2.5
 itsdangerous==0.24
-Jinja2==3.1.4
+Jinja2==3.1.5
 MarkupSafe>=1.0
 Werkzeug==3.0.6
 requests==2.32.2