deps(security): pin pillow >= 12.2.0 (GHSA-whj4-6x5x-4v2j) (#228)

neuron7xLab · claude · web-flow · commit 241d7b4db6c4 · 2026-04-14T00:25:25.000+03:00
Closes the single open Dependabot advisory on GeoSync main: GHSA-whj4-6x5x-4v2j — FITS GZIP decompression bomb in Pillow (high). Vulnerable range ``>= 10.3.0, < 12.2.0``; SBOM recorded 12.1.1; fix 12.2.0+. Pillow is a pure transitive — it enters the install tree via scientific/ML extras and isn't listed in ``requirements.txt`` or ``pyproject.toml`` directly. Following the existing pattern in ``constraints/security.txt``, pin the floor here so transitive resolution cannot regress below the fix line across environments. Also refreshes the ``sbom/combined-requirements.txt`` row so the SBOM stays consistent with the new constraint. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/constraints/security.txt b/constraints/security.txt
@@ -90,3 +90,12 @@ fastapi>=0.119.0,<1.0.0
 # Brotli: Compression algorithm support, required for secure decompression
 # Version 1.2.0+ required for urllib3 2.6.0 security fixes
 Brotli>=1.2.0
+
+# ============================================================================
+# Image processing - Memory-safety critical (transitive)
+# ============================================================================
+# pillow: GHSA-whj4-6x5x-4v2j — FITS GZIP decompression bomb
+# Vulnerable: >= 10.3.0, < 12.2.0. Pillow enters the install tree via
+# scientific/ML extras (e.g. torchvision-adjacent paths). Pin the floor
+# here so transitive resolution cannot regress below the fix line.
+pillow>=12.2.0
diff --git a/sbom/combined-requirements.txt b/sbom/combined-requirements.txt
@@ -92,7 +92,7 @@ optuna==3.6.2
 packaging==25.0
 pandas==3.0.2
 pandera==0.26.1
-pillow==12.1.1
+pillow==12.2.0
 prometheus-client==0.25.0
 propcache==0.4.1
 protobuf==6.33.5
