Upgrade pillow to 7.1.0?

[willgearty]

Apparently there's a low severity security vulnerability in all versions < 6.2.0. We're on 3.3.3, which means upgrading involves a LOT of changes. @hwatheod made the last upgrade to pillow, so maybe he's the best to figure out if we need to address any changes? My understanding is that it's only used for the imagefield in the teacher bios?

Changelog is here: https://github.com/python-pillow/Pillow/blob/master/CHANGES.rst

[willgearty]

Looks like we now need to upgrade to 7.1.0 due to even more security vulnerabilities (although it's unclear to me whether they are relevant to our use case of ImageField). Unfortunately, 7.1.0 dropped support for Python 2.7 (see support here). Looks like our options are:

1. Upgrade to pillow 6.2.2, which fixes some of the security problems, but not all, but still supports python 2.7.
2. Wait to upgrade pillow to 7.1.0 when we upgrade to python 3 (https://github.com/learning-unlimited/ESP-Website/issues/2576)
3. Use FileField (ImageField without the image checks), some derived form of ImageField, or some other implementation of ImageField that doesn't require Pillow (I haven't found any options yet from my limited googling)
4. Ignore the security vulnerabilities altogether (#1 is probably a better option)

[willgearty]

@hwatheod or @milescalabresi, any thoughts?

[milescalabresi]

I like 3 and 1 (then 2 when the time comes). Do we know how much/severe vulnerability there is in 6.2?

[milescalabresi]

Fixed by #3616. I revise my statement: let's do option 2!