Update dependencies

[davehunt]

Dependabot has opened several pull requests to update dependencies, however most of these are failing. We need to investigate and resolve these issues so that we can use the latest stable dependencies.

[tarekziade]

The two issues are:

• it can't find "blinker"
• the itsdangerous pinned version is conflicting

Since both issues are on 3.5 - I do wonder if we really care about 3.5

I think we should just get rid of 3.5 and keep 3.6+ going forward

[davehunt]

It looks like blinker failing to install may be related to an issue in the Pipfile. I've been able to replicate it locally, and the patch from #161 fixes it. Let's see how the Travis CI run goes.

[davehunt]

Okay, that didn't help. Part of the issue here is that the Pipfile.lock is not in sync with Pipfile. I've now opened #162 to update the dependencies and ensure Travis CI fails if the Pipfile.lock falls out of sync again.

[davehunt]

There's also an issue with the current version of pipenv that pulls in extras as markers in the Pipfile.lock so that's also causing issues. 😢 I'll push another commit to #162.

[tarekziade]

Ignore my comment about 3.5 vs 3.6 - it's a 3.5 only project

[davehunt]

Whilst #162 is passing in Travis CI, I haven't been able to confirm that there are no regressions from the updated packages and I'm not confident with merging it.

[davehunt]

It looks like @dependabot-bot is affected by pypa/pipenv#3026 so the pull requests opened are introducing a marker for blinker, which means it's being ignored during the pipenv install. The issue is apparently fixed, but we'll need to wait for a new release and for Dependabot to use the new version. I'll report this to Dependabot so they're aware.