chore: bump pillow to major version

[eschutho]

SUMMARY
Bump Pillow optional dependency (used for taking web screenshots) to address several security vulnerabilities: https://www.cvedetails.com/product/27460/Python-Pillow.html?vendor_id=10210

The only breaking change on this major version of pillow is that it no longer supports Python 3.6, which Superset already doesn't allow.

TESTING INSTRUCTIONS
Make sure we are still able to generate thumbnails and reports with charts and dashboards screenshots

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration (follow approval process in SIP-59)
  • Migration is atomic, supports rollback & is backwards-compatible
  • Confirm DB migration upgrade and downgrade tested
  • Runtime estimates and downtime expectations provided
• Introduces new feature or API
• Removes existing feature or API

[codecov]

Codecov Report

Merging #18134 (758c0df) into master (88db2cc) will decrease coverage by 0.43%.
The diff coverage is 57.18%.

❗ Current head 758c0df differs from pull request most recent head 7ae73a7. Consider uploading reports for the commit 7ae73a7 to get more accurate results

@@            Coverage Diff             @@
##           master   #18134      +/-   ##
==========================================
- Coverage   66.36%   65.93%   -0.44%     
==========================================
  Files        1570     1584      +14     
  Lines       61767    62046     +279     
  Branches     6243     6273      +30     
==========================================
- Hits        40990    40907      -83     
- Misses      19178    19518     +340     
- Partials     1599     1621      +22     

Flag	Coverage Δ
hive	52.15% <29.46%> (-1.07%)	⬇️
mysql	?
postgres	81.22% <57.82%> (-0.93%)	⬇️
presto	51.99% <29.46%> (-1.06%)	⬇️
python	81.62% <57.82%> (-0.98%)	⬇️
sqlite	80.92% <57.82%> (-0.93%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
...rt-controls/src/operators/rollingWindowOperator.ts	100.00% <ø> (ø)
...ui-chart-controls/src/operators/utils/constants.ts	100.00% <ø> (ø)
...superset-ui-core/src/query/types/PostProcessing.ts	100.00% <ø> (ø)
...ackages/superset-ui-core/src/utils/featureFlags.ts	100.00% <ø> (ø)
...src/BigNumber/BigNumberWithTrendline/buildQuery.ts	9.09% <ø> (ø)
...hart-echarts/src/MixedTimeseries/transformProps.ts	0.00% <0.00%> (ø)
...chart-echarts/src/Timeseries/Area/controlPanel.tsx	33.33% <0.00%> (-6.67%)	⬇️
.../plugin-chart-echarts/src/Timeseries/Area/index.ts	33.33% <0.00%> (-16.67%)	⬇️
...charts/src/Timeseries/Regular/Bar/controlPanel.tsx	33.33% <0.00%> (-6.67%)	⬇️
...-chart-echarts/src/Timeseries/Regular/Bar/index.ts	33.33% <0.00%> (-16.67%)	⬇️
... and 84 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 88db2cc...7ae73a7. Read the comment docs.

[dpgaspar]

Change log: https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst#900-2022-01-02

I dislike initial majors like this one. Any major problem with this version, will leave Superset vulnerable to its fix and release, without any possibility for user's being able to downgrade pillow or upgrade (it's the only current version).

Given the CVE's it's probably a good idea, what do you think about temporarily leaving a wider version interval?

[eschutho]

Give the CVE's it's probably a good idea, what do you think about temporarily leaving a wider version interval?

Sounds good.. I widened the version range so that users can bump when they feel comfortable.