chore: bump wagtail from 7.0.7 to 7.4

[dependabot]

Bumps wagtail from 7.0.7 to 7.4.

Release notes

Sourced from wagtail's releases.

7.4 LTS

• Add is_deferred_validation flag to support skipping custom validation when saving drafts (Daniel Kirkham)
• Update project template Dockerfile to build dependencies in a separate stage (Brylie Oxley, Akshat Gupta)
• Add include_root parameter to admin pages API endpoint (Divyansh Mishra)
• Add support for Flourish oEmbeds (Garrett Coakley)
• Add support for Heyzine oEmbeds (Baptiste Darthenay)
• Allow specifying creation_form_class on ChooserViewSet as a dotted path string (K Adithya)
• Various user experience improvements to autosave and concurrent editing notifications (Sage Abdullah)
• Allow validation of required StreamField blocks to be deferred on saving drafts (Sage Abdullah)
• Add WAGTAILDOCS_MAX_UPLOAD_SIZE setting for specifying maximum document file size (Om Harsh)
• Set the project template WAGTAILDOCS_MAX_UPLOAD_SIZE to 10MB (Thibaud Colas)
• Optimize combining of querysets in site history report (Alex Bridge)
• Add more informative error for format-* operations on SVG images (Ankit Kumar)
• Store preview data in new FormState model to improve compatibility with cookie-based sessions (Sage Abdullah)
• Change StreamBlock options so groups are shown in declaration order of their blocks (Darshan Kerkar)
• Add WAGTAILADMIN_PAGE_SEARCH_FILTER_BY_PERMISSIONS setting to disable permission filtering on page searches (Matt Westcott)
• Use choice label when displaying choice fields in SnippetViewSet/ModelViewSet's list_display (Srishti Jaiswal)
• Add new content check empty-meta-description to validate meta description tags are not empty (Thibaud Colas)
• Add extractMetrics method to PreviewController to retrieve content metrics from the preview panel (Thibaud Colas)
• Refine hover / focus styles for title field’s comment button (Srishti Jaiswal)
• Preserve "Collapse all" button state when switching between editor tabs (Raghad Dahi)
• Upgrade modelsearch to 1.3 (Matt Westcott)
• Implement checker error highlights within the preview panel (Thibaud Colas)
• Add routablefullpageurl template tag (Pravin Kamble)
• Add support for customizing page explorer views per page type using PageViewSet (Sage Abdullah)
• Enhance page content type usage view with custom listings and ability to create new pages (Sage Abdullah)
• Fix: CVE-2026-44197: Improper permission handling when comparing revisions (Seoyoung Kang, Jake Howard)
• Fix: CVE-2026-44198: Improper permission handling when viewing page history (Seoyoung Kang, Jake Howard, Dan Braghis)
• Fix: CVE-2026-44199: Improper permission handling when deleting form submissions (Vishal Shukla, Jake Howard)
• Fix: CVE-2026-44200: Improper permission handling when copying pages (Sanjok Karki, Matt Westcott)
• Fix: CVE-2026-44201: Improper restriction handling on Documents and Images API (Sanjok Karki, Jake Howard)
• Fix: Handle nested inline models when displaying object usage information (Sage Abdullah, Kacper Walęga, Tian Jie Wong)
• Fix: Avoid duplicate get_object() DB query in API detail view (Siddheshwar Kadam)
• Fix: Ensure ImageBlock alt text populates on choosing a new image after unchecking decorative state (Pratham Jaiswal)
• Fix: Set verbose_name_plural for Query model in search promotions app (Saptami)
• Fix: Truncate overly long task names in workflow admin view (Gaurav Takhi)
• Fix: Hide "Add child page" button when no child pages can be created as per max_count or max_count_per_parent (Lasse Schmieding)
• Fix: Prevent multiple child pages with max_count_per_parent being moved under one parent (James Biggs)
• Fix: Use POST instead of DELETE in Cloudflare Frontend Cache Backend (Tom Usher)
• Fix: Handle null values for title, author name or provider name in OEmbed responses (Baptiste Darthenay)
• Fix: Preserve original data types from ChoiceBlock choices in block values (Devarshi Mani Tripathi)
• Fix: Fix translation sync logic for django-treebeard 5.0.2 (Matt Westcott)
• Fix: Correctly HTML-escape page title in approval/rejection notification emails (Matt Westcott)
• Fix: Correctly HTML-escape URL in photo type oembeds (Thibaud Colas)
• Fix: Ensure user with appropriate permissions can cancel a workflow task (Dan Braghis)
• Fix: Ensure "submit to workflow" menu item uses the workflow name when creating pages (Sage Abdullah)
• Fix: Better align page descriptions in add subpage views (Tibor Leupold)
• Fix: Correctly close the Pages menu panel when clicking sidebar search (Divyansh Mishra)
• Docs: Add documentation for the filter_spec parameter of ImageRenditionField (Soumya-codr)
• Docs: Add guide for testing document upload forms (Wenli Tsai, Bhavesh Sharma)

... (truncated)

Changelog

Sourced from wagtail's changelog.

7.4 LTS (05.05.2026)

 * Add `is_deferred_validation` flag to support skipping custom validation when saving drafts (Daniel Kirkham)
 * Update project template Dockerfile to build dependencies in a separate stage (Brylie Oxley, Akshat Gupta)
 * Add `include_root` parameter to admin pages API endpoint (Divyansh Mishra)
 * Add support for Flourish oEmbeds (Garrett Coakley)
 * Add support for Heyzine oEmbeds (Baptiste Darthenay)
 * Allow specifying `creation_form_class` on `ChooserViewSet` as a dotted path string (K Adithya)
 * Various user experience improvements to autosave and concurrent editing notifications (Sage Abdullah)
 * Allow validation of required StreamField blocks to be deferred on saving drafts (Sage Abdullah)
 * Add `WAGTAILDOCS_MAX_UPLOAD_SIZE` setting for specifying maximum document file size (Om Harsh)
 * Set the project template `WAGTAILDOCS_MAX_UPLOAD_SIZE` to 10MB (Thibaud Colas)
 * Optimize combining of querysets in site history report (Alex Bridge)
 * Add more informative error for `format-*` operations on SVG images (Ankit Kumar)
 * Store preview data in new `FormState` model to improve compatibility with cookie-based sessions (Sage Abdullah)
 * Change StreamBlock options so groups are shown in declaration order of their blocks (Darshan Kerkar)
 * Add `WAGTAILADMIN_PAGE_SEARCH_FILTER_BY_PERMISSIONS` setting to disable permission filtering on page searches (Matt Westcott)
 * Use choice label when displaying choice fields in `SnippetViewSet`/`ModelViewSet`'s `list_display` (Srishti Jaiswal)
 * Add new content check `empty-meta-description` to validate meta description tags are not empty (Thibaud Colas)
 * Add `extractMetrics` method to `PreviewController` to retrieve content metrics from the preview panel (Thibaud Colas)
 * Refine hover / focus styles for title field’s comment button (Srishti Jaiswal)
 * Preserve "Collapse all" button state when switching between editor tabs (Raghad Dahi)
 * Upgrade modelsearch to 1.3 (Matt Westcott)
 * Implement checker error highlights within the preview panel (Thibaud Colas)
 * Add `routablefullpageurl` template tag (Pravin Kamble)
 * Add support for customizing page explorer views per page type using `PageViewSet` (Sage Abdullah)
 * Enhance page content type usage view with custom listings and ability to create new pages (Sage Abdullah)
 * Fix: CVE-2026-44197: Improper permission handling when comparing revisions (Seoyoung Kang, Jake Howard)
 * Fix: CVE-2026-44198: Improper permission handling when viewing page history (Seoyoung Kang, Jake Howard, Dan Braghis)
 * Fix: CVE-2026-44199: Improper permission handling when deleting form submissions (Vishal Shukla, Jake Howard)
 * Fix: CVE-2026-44200: Improper permission handling when copying pages (Sanjok Karki, Matt Westcott)
 * Fix: CVE-2026-44201: Improper restriction handling on Documents and Images API (Sanjok Karki, Jake Howard)
 * Fix: Handle nested inline models when displaying object usage information (Sage Abdullah, Kacper Walęga, Tian Jie Wong)
 * Fix: Avoid duplicate `get_object()` DB query in API detail view (Siddheshwar Kadam)
 * Fix: Ensure `ImageBlock` alt text populates on choosing a new image after unchecking decorative state (Pratham Jaiswal)
 * Fix: Set `verbose_name_plural` for Query model in search promotions app (Saptami)
 * Fix: Truncate overly long task names in workflow admin view (Gaurav Takhi)
 * Fix: Hide "Add child page" button when no child pages can be created as per `max_count` or `max_count_per_parent` (Lasse Schmieding)
 * Fix: Prevent multiple child pages with `max_count_per_parent` being moved under one parent (James Biggs)
 * Fix: Use POST instead of DELETE in Cloudflare Frontend Cache Backend (Tom Usher)
 * Fix: Handle null values for title, author name or provider name in OEmbed responses (Baptiste Darthenay)
 * Fix: Preserve original data types from `ChoiceBlock` choices in block values (Devarshi Mani Tripathi)
 * Fix: Fix translation sync logic for django-treebeard 5.0.2 (Matt Westcott)
 * Fix: Correctly HTML-escape page title in approval/rejection notification emails (Matt Westcott)
 * Fix: Correctly HTML-escape URL in photo type oembeds (Thibaud Colas)
 * Fix: Ensure user with appropriate permissions can cancel a workflow task (Dan Braghis)
 * Fix: Ensure "submit to workflow" menu item uses the workflow name when creating pages (Sage Abdullah)
 * Fix: Better align page descriptions in add subpage views (Tibor Leupold)
 * Fix: Correctly close the Pages menu panel when clicking sidebar search (Divyansh Mishra)
</tr></table> 

... (truncated)

Commits

• 06237c5 Fill in CVE identifiers
• 48a7d42 Fetch new translations from Transifex
• 3bcddf2 ruff format
• e182e3e Version bump to 7.4 final
• d504b23 Release notes for security fixes in 7.4
• 2d3b103 Release notes for security fixes in 7.3.2
• 1a491b0 Fix permission check on creating alias
• 2540d7a Fix permission handling on page copy
• 538a703 Exclude view-restricted collections from document and images API
• 2123168 Only support deleting form submissions for the chosen page
• Additional commits viewable in compare view

Most Recent Ignore Conditions Applied to This Pull Request

Dependency Name	Ignore Conditions
wagtail	[>= 7.1.dev0, < 7.2]

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Superseded by #326.