Add upper bound on the Jinja and MarkupSafe dependencies

[martinRenou]

Related https://github.com/jupyter/nbconvert/pull/1737

Considering this discussion and the fact that Jinja (and I assume MarkupSafe) do not use semver, we should probably add an upper bound on the Jinja2 and MarkupSafe dependencies. Something like the following could probably be good in order to not get bad surprises?

'jinja2>=2.4,<3.2',
'MarkupSafe>=2.0,<2.2'

[akchinSTC]

Just piggy backing on this topic, it seems possible ?... if given an environment with Jinja2<3.0 installed, ...for pip to resolve to using MarkupSafe >= 2.1 when using the latest release of nbconvert. If that happens, I believe there will be an import error here: https://github.com/pallets/jinja/blob/cf215390d4a4d6f0a4de27e2687eed176878f13d/src/jinja2/filters.py#L13 due to 'soft_unicode' has been renamed to 'soft_str'. The old name will be removed in MarkupSafe 2.1.

[bollwyvl]

As a library almost as much as a tool, if possible we should try to support and test as simple/wide a range as we can, without offering too much of a crutch/impediment to others.

We could start a _jinja_compat.py module which normalized the behavior, during the 6.x line: having some try:... ; except ImportError: clauses isn't very expensive, (vs #1685 which is a whole other world), and we can even emit some warnings of our own.

On a future, sensible major version increase, we could then bump the bottom range once and for all: jinja2<3 is no longer supported, and historically, template libraries can be rich sources of security issues.