Incompatible version of Pillow library used during docker build

[istride]

Noticed this error when building the Docker container image.

ERROR: wagtail 2.11.8 has requirement Pillow<9.0.0,>=4.0.0, but you'll have pillow 9.0.0 which is incompatible.

I don't this has had any adverse effect on the app, but it would be best to resolve this issue to eliminate it as a potential problem in the future.

[sheralim012]

We aren't explicitly specifying Pillow package in the project requirements but wagtail itself has Pillow as a dependency and in wagtail 2.15.x Pillow version conditions have been updated too, see here.

@istride I have tried and build docker image using Dockerfile and not getting this error now, but do let me know if you still face this issue during deployment.

[istride]

For me, the point of this issue is to stay in control of the build process and dependency management.

The log entry indicates an error condition.

• Why didn't the build fail?
• Should the build have failed?

As far as I know, we haven't done anything to directly resolve this issue.

• What is the correct course of action if this happens again, or with another dependency?
• How is the version of Pillow being resolved now?
• Should we be explicitly defining which version to use?

[sheralim012]

• What is the correct course of action if this happens again, or with another dependency?

I believe we should pin the project's main dependencies and use some tools like pip-compile to resolve and pin sub-dependencies as well.

Through this one might say we will lose patch updates but we can define and agree on a process to update the packages as well. Also, security updates are already notified through GitHub's security feature.

• How is the version of Pillow being resolved now?

Wagtail's sub-dependencies conditions are updated.

• Should we be explicitly defining which version to use?

I believe yes, so builds are more predictable and deterministic.

[istride]

Pinning dependencies is a good suggestion. Are there any other tools that might help in that regard and that we should consider (e.g. Poetry)?

Wagtail's sub-dependencies conditions are updated.

I understand that the range of acceptable versions of Pillow has been expanded. What I wanted to understand is why, given that we are not explicitly stating which version to use, was an incompatible version being selected. Potentially, there is another package with a dependency on Pillow that is imposing its requirements on the project.

[sheralim012]

@istride you are right, there is another package CairoSVG (used for SVG to PNG conversion) that has Pillow as its dependency and could cause incompatibility. (Ran requirements through pip-tools and it showed Wagtail and CairoSVG packages that are installing Pillow.)

I have used pip-tools and pipenv before but not poetry but looks good too. Let me know if you have any preferences.

My suggestion would be to go with pip-tools as there would be fewer changes with the current setup as we are already using the requirements.txt file for building docker images.

[istride]

Let's introduce pip-tools then and see how it goes. Make sure to update the getting started instructions in the main readme, and any other documentation that needs an update.