[Snyk] Fix for 2 vulnerabilities

[robertatakenaka]

Snyk has created this PR to fix 2 vulnerabilities in the pip dependencies of this project.

Snyk changed the following file(s):

• requirements/base.txt

⚠️ Warning

wagtail 5.0.5 has requirement Pillow<11.0.0,>=9.1.0, but you have Pillow 9.0.1.
django-celery-beat 2.5.0 has requirement importlib-metadata<5.0; python_version < "3.8", but you have importlib-metadata 6.7.0.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.
• Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 SQL Injection
🦉 Missing Authorization

[Copilot]

Pull request overview

This PR attempts to address security vulnerabilities by upgrading Django from 4.1.6 to 4.2.28 and Wagtail from 4.2.2 to 6.3.6. However, the upgrades introduce multiple critical compatibility issues that will prevent the application from functioning.

Changes:

• Upgrade Django from 4.1.6 to 4.2.28 (minor version jump crossing the 4.0 constraint boundary)
• Upgrade Wagtail from 4.2.2 to 6.3.6 (major version jump spanning two major releases)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The Django version upgrade to 4.2.28 violates the explicit version constraint "pyup: < 4.0" specified in the comment. This constraint indicates that the codebase is not intended to be upgraded to Django 4.x. The jump from Django 4.1.6 to 4.2.28 requires updating this constraint to match the intended version policy, or downgrading to the latest 3.2.x LTS version if the constraint is intentional. Note that Django 4.0 introduced several breaking changes including new template tag autoescape behavior, updated URL pattern matching, and changes to the admin interface.

[Copilot]

The Wagtail upgrade from 4.2.2 to 6.3.6 is a major version jump spanning two major releases (5.x and 6.x). This introduces significant breaking changes that will cause runtime errors. Key issues include:

1. Wagtail 5.0+ requires Pillow>=9.1.0, but line 3 has Pillow==9.0.1 (as noted in the PR warnings)
2. wagtailautocomplete.edit_handlers.AutocompletePanel was deprecated in Wagtail 3.0 and removed in later versions - it should be imported from wagtail.admin.panels instead (used in 11+ files across the codebase)
3. wagtail.contrib.modeladmin was deprecated in Wagtail 5.0 and requires migration to the Snippet ViewSets API (used extensively throughout the codebase)
4. Multiple template tag and API changes between versions

This upgrade requires code migration across the entire codebase before it can work properly. Consider upgrading incrementally (4.2→5.0→6.0→6.3) with proper testing at each step.

[Copilot]

The Pillow version 9.0.1 on line 3 is incompatible with the upgraded Wagtail 6.3.6. As noted in the PR warnings, Wagtail 5.0.5+ requires Pillow>=9.1.0. This dependency needs to be updated to at least Pillow==9.1.0, though a more recent version like 10.x or 11.x would be preferable for security and compatibility. Without this update, the application will fail to start with a dependency conflict error.

[Copilot]

The wagtailmenus version 3.1.3 is likely incompatible with Wagtail 6.3.6. Wagtailmenus 3.1.3 was released for Wagtail 3.x and 4.x. For Wagtail 6.x, wagtailmenus 4.0+ is required. Without updating this dependency, the menu functionality will fail with import errors or runtime exceptions. This is a secondary dependency that should be addressed alongside the main Wagtail upgrade.

[Copilot]

The wagtail-autocomplete version 0.9.0 is incompatible with Wagtail 6.3.6. Wagtail-autocomplete 0.9.0 supports up to Wagtail 4.x. For Wagtail 6.x, wagtail-autocomplete 0.11+ is required. Additionally, the codebase imports from the deprecated wagtailautocomplete.edit_handlers module (used in 11+ files including article/models.py, education_directory/models.py, etc.), which needs to be updated to use wagtail.admin.panels instead. This will cause import errors throughout the application.

[Copilot]

The django-allauth version 0.54.0 may have compatibility issues with Django 4.2.28. Django-allauth 0.54.0 was released for Django 3.2 and 4.1. For Django 4.2, django-allauth 0.57.0+ is recommended to ensure full compatibility with newer Django features and avoid potential deprecation warnings or errors.

Suggested change

	django-allauth==0.54.0 # https://github.com/pennersr/django-allauth
	django-allauth==0.57.0 # https://github.com/pennersr/django-allauth

[Copilot]

The django-haystack version 3.2.1 may have compatibility issues with Django 4.2.28. Django-haystack 3.2.1 was designed for Django 3.2 and 4.1. While it may work with Django 4.2, there could be deprecation warnings or unexpected behavior. Consider testing thoroughly or upgrading to the latest django-haystack version that explicitly supports Django 4.2.