Update Pillow/Willow dependencies to Wagtail 5.0.x to allow installing Pillow 10.0.1+

[zerolab]

Similar to #10951 / #10955

Kudos to @tomkins for the heads up

[zerolab]

RTD failed with

The configuration file required to build documentation is missing from your project. Add a configuration file to your project to make it build successfully. Read more at https://docs.readthedocs.io/en/stable/config-file/v2.html

Will have a look

[gasman]

Did you intend to reduce the lower bound here? This was set as 9.1.0 in #10911.

[zerolab]

I did not. Copy/pasta error. Fixed

[zerolab]

I do wonder whether we need the Pillow line at all, since at the end of the day we are restricted by the Pillow versions that Willow supports 🤔

[laymonage]

^ I've been wondering about that as well. If that's the case it's going to be so much easier to handle any security fixes coming from Pillow as we can just make a new release of Willow without a new release of Wagtail.

[dkirkham]

When I was implementing #10911 I too wondered about this. But as I understand it from the comments, Willow can make use of either Pillow or Wand, and therefore it can’t include Pillow (or Wand) as a dependency in the packaging. But I’m not an expert in packaging, maybe there is a way of configuring constraints on optional dependencies.

[zerolab]

Went back and checked, and indeed we don't require either Pillow or Wand in Willow - https://github.com/wagtail/Willow/blob/main/pyproject.toml#L28-L31 So this was but a dream

[dkirkham]

Maybe the answer is to add to the [project.optional-dependencies] in Willow, so that Wagtail requires Willow[Pillow,heif]>=1.6.3,<1.7 and Willow specifies Pillow>=9.1.0,<11.0.0 in that optional dependency. There would need to be a non-heif option too. Then Wagtail can remove the direct dependency on Pillow.

I'm not sure if this would introduce any breaking changes, especially to non-Wagtail uses of Willow.

[zerolab]

That is actually a pretty good suggestion

[zerolab]

wagtail/Willow#130

[squash-labs]

Manage this branch in Squash

Test this branch here: https://zerolabfixloosen-pillow-willow-bj5k7.squash.io

[thibaudcolas]

The CircleCI UI test failure looks legit but is unrelated to the changes here. I’ll open an issue. Edit: #10990.

Logs for ref

 FAIL  client/tests/integration/homepage.test.js
  ● Homepage › axe

    expect(received).toPassAxeTests(expected)

    Expected page to pass Axe accessibility tests.
    Violations found:
    Rule: "color-contrast" (Elements must have sufficient color contrast)
    Help: https://dequeuniversity.com/rules/axe/4.3/color-contrast?application=axe-puppeteer
    Affected Nodes:
      a[data-w-upgrade-target="link"]
        Fix ANY of the following:
        - Element has insufficient color contrast of 4.25 (foreground color: #007d7e, background color: #faecd5, font size: 10.2pt (13.6px), font weight: normal). Expected contrast ratio of 4.5:1