Update wagtail requirement from >=4.1 to >=7.3.1

[dependabot]

Updates the requirements on wagtail to permit the latest version.

Release notes

Sourced from wagtail's releases.

7.3.1

• Fix: CVE-2026-28222: Improper escaping of HTML (Cross-site Scripting) on TableBlock class attributes (Guan Chenxian, Matt Westcott)
• Fix: CVE-2026-28223: Improper escaping of HTML (Cross-site Scripting) in simple_translation admin interface (Guan Chenxian, Matt Westcott)
• Fix: Update dependencies to allow django-modelsearch 1.2 and django-tasks 0.11
• Fix: Fix duplicate inline panel items when editing snippets with autosave enabled (Sage Abdullah)
• Fix: Prevent dropdowns from closing after a successful autosave (Sage Abdullah)
• Fix: Show placeholder image icons when image upload previews fail (Collins Kubu)
• Fix: Ensure that 'create' form within choosers is not hidden on validation errors (Ankit Chaudhary)
• Maintenance: Update semgrep to 1.150.0 (Pravin Kamble)

Changelog

Sourced from wagtail's changelog.

7.3.1 (03.03.2026)

 * Fix: CVE-2026-28222: Improper escaping of HTML (Cross-site Scripting) on TableBlock class attributes (Guan Chenxian, Matt Westcott)
 * Fix: CVE-2026-28223: Improper escaping of HTML (Cross-site Scripting) in simple_translation admin interface (Guan Chenxian, Matt Westcott)
 * Fix: Update dependencies to allow django-modelsearch 1.2 and django-tasks 0.11
 * Fix: Fix duplicate inline panel items when editing snippets with autosave enabled (Sage Abdullah)
 * Fix: Prevent dropdowns from closing after a successful autosave (Sage Abdullah)
 * Fix: Show placeholder image icons when image upload previews fail (Collins Kubu)
 * Fix: Ensure that 'create' form within choosers is not hidden on validation errors (Ankit Chaudhary)
 * Maintenance: Update semgrep to 1.150.0 (Pravin Kamble)
7.3 (03.02.2026)

 * Add support for Django 6.0
 * Resize overly large avatar images on upload (Harshit Ranjan)
 * Add natural keys for `Page` and `Collection` models (Samya Aggarwal)
 * Add Loom oEmbed provider (Nick Ivons)
 * Add `ModelViewSet.pk_path_converter` with defaults for `IntegerField` and `UUIDField` primary keys (Seb Corbin)
 * Improve accessibility for sidebar menu with visual active (expanded) menu item indicators (Vignesh Shivhare)
 * Add `before_edit_setting` / `after_edit_setting` hooks (Baptiste Mispelon)
 * Lower default AVIF encoding quality from 80 to 73 (Thibaud Colas)
 * Provide a structured rendering of `StreamBlock` in comparison view (Taras Panasiuk)
 * Add support for settings and custom block layouts for StructBlock (Sage Abdullah)
 * Add llms.txt versions of the developer documentation and Wagtail user guide (Thibaud Colas)
 * Lower default JPEG and AVIF image quality settings to provide consistent perceptual quality between formats (Thibaud Colas)
 * Add support for custom content checks with client-side registration (Thibaud Colas)
 * Initial support for autosave (Matt Westcott, Sage Abdullah)
 * Fix: Do not try to resolve locale during fixture load (Jake Howard, Seb Corbin)
 * Fix: Gracefully handle oEmbed responses with a non-200 status or missing type (Shivam Kumar, Bhavesh Sharma)
 * Fix: Keep action button labelled as "Publish" rather than "Schedule to publish" if go-live date has passed (Vishrut Ramraj)
 * Fix: Pass accumulated icons to each `register_icons` hook (Joey Jurjens, Sage Abdullah)
 * Fix: Skip revisions that are missing the specified field in StreamField migrations (Joshua Munn)
 * Fix: Preserve listing search and filter parameters when redirecting from bulk actions (Sage Abdullah)
 * Fix: Ensure that object references within `TypedTableBlock` are counted in the reference index (Aman Bora)
 * Fix: Fix slug auto-generation when slug field is omitted from page edit form (Pravin Kamble)
 * Fix: Ensure `request.is_preview` and `request.preview_mode` are set for password-required responses (Ishtpreet Singh)
 * Fix: Optimise storage of redirect paths containing Unicode characters and ensure percent-encoded characters are matched case-insensitively (Andy Babic, Florin Barnea, Aman Bora, Matt Westcott)
 * Fix: Ensure that reference index records are deleted when the target object is deleted (bettercallok)
 * Fix: Ensure filters are applied to export button URLs in custom page listings (Ritik Arya, Sage Abdullah)
 * Fix: Prevent conflicting IDs in nested `StructBlock`s with blocks named `content` (Sage Abdullah, Serkan Korkusuz)
 * Fix: CVE-2026-25517: Improper permission handling on admin preview endpoints (thxtech, Matt Westcott, Jake Howard)
 * Docs: Recommend running `purge_embeds` after an embed provider changes policies (Paul Souders)
 * Docs: Document `WAGTAILIMAGES_FORMAT_CONVERSIONS` in the settings docs (David Buxton)
 * Docs: Wording changes to Draftail extension docs to improve searchability (Lasse Schmieding)
 * Docs: Fix StreamField param name (Baptiste Mispelon)
 * Docs: Clarify that `before_delete_page` and similar hooks only trigger on the individual page view, not bulk actions (Shivam Kumar)
 * Docs: Clarify template location in custom user model documentation (Akhil Muraleedharan)
</tr></table> 
</code></pre>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>

<li><a href="https://github.com/wagtail/wagtail/commit/136e2f65957314f26bd2632adec08fe5ef9a1e25&quot;&gt;&lt;code&gt;136e2f6&lt;/code&gt;&lt;/a> Release note for updating semgrep to 1.150.0 in 7.2.3</li>

<li><a href="https://github.com/wagtail/wagtail/commit/21177fedc20ba1728aa3ca01f49d490543861ed2&quot;&gt;&lt;code&gt;21177fe&lt;/code&gt;&lt;/a> Version bump to 7.3.1 final</li>

<li><a href="https://github.com/wagtail/wagtail/commit/06750d47de2ff9b22b37ff56949c1abb325e0d96&quot;&gt;&lt;code&gt;06750d4&lt;/code&gt;&lt;/a> Release note for CVE-2026-28223 in 7.3.1</li>

<li><a href="https://github.com/wagtail/wagtail/commit/1b971d0ba7020c1bf5814851eb1ca82ce537245f&quot;&gt;&lt;code&gt;1b971d0&lt;/code&gt;&lt;/a> Release note for CVE-2026-28223 in 7.2.3</li>

<li><a href="https://github.com/wagtail/wagtail/commit/3aada716a7ba92d0c73f78e8c17586fe372088ae&quot;&gt;&lt;code&gt;3aada71&lt;/code&gt;&lt;/a> Release note for CVE-2026-28223 in 7.0.6</li>

<li><a href="https://github.com/wagtail/wagtail/commit/804ed3bce26c60bc56763947a612269b816cb2b7&quot;&gt;&lt;code&gt;804ed3b&lt;/code&gt;&lt;/a> Release note for CVE-2026-28223 in 6.3.8</li>

<li><a href="https://github.com/wagtail/wagtail/commit/ba70244d376a7b1bd180ded03e827917ff410c19&quot;&gt;&lt;code&gt;ba70244&lt;/code&gt;&lt;/a> Enforce HTML escaping of all confirmation / warning / error messages</li>

<li><a href="https://github.com/wagtail/wagtail/commit/423934efd88565b1bd2feea735cbacb8df35cb6c&quot;&gt;&lt;code&gt;423934e&lt;/code&gt;&lt;/a> Release note for CVE-2026-28222 in 7.3.1</li>

<li><a href="https://github.com/wagtail/wagtail/commit/a2db131d3f9bf2baa4256cb6c141691947f5f1b4&quot;&gt;&lt;code&gt;a2db131&lt;/code&gt;&lt;/a> Release note for CVE-2026-28222 in 7.2.3</li>

<li><a href="https://github.com/wagtail/wagtail/commit/16bbf260f6faa8674d0ff53a27133223a047d2e5&quot;&gt;&lt;code&gt;16bbf26&lt;/code&gt;&lt;/a> Release note for CVE-2026-28222 in 7.0.6</li>

<li>Additional commits viewable in <a href="https://github.com/wagtail/wagtail/compare/v7.0...v7.3.1&quot;&gt;compare view</a></li>

</ul>

</details>
<br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options


You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Superseded by #274.