Skip to content

Commit 2b0bbca

Browse files
neuron7xLabYaroslav Vasylenko
neuron7xLab
and
Yaroslav Vasylenko
authored
deps(security): align lock files with pillow >= 12.2.0 (GHSA-whj4-6x5x-4v2j) (#231)
Follow-up to da5b55a — that commit pinned pillow >= 12.2.0 in constraints/security.txt and bumped sbom/combined-requirements.txt, but the three pip-tools lock files were not regenerated and still held pillow==12.1.1. CI then failed at the Setup Python environment step with: ERROR: Cannot install pillow==12.1.1 because these package versions have conflicting dependencies. The user requested pillow==12.1.1 The user requested (constraint) pillow>=12.2.0 Every PR that hits that step was blocked (e.g. PR #230 python-multipart bump: runs/24478599121/job/71537241656 python-quality runs/24478599121/job/71537241640 secrets-supply-chain). Minimal fix: align the three lock files with the constraint floor enforced by constraints/security.txt and already reflected in the SBOM. Files touched: requirements.lock pillow==12.1.1 → pillow==12.2.0 requirements-dev.lock pillow==12.1.1 → pillow==12.2.0 requirements-scan.lock pillow==12.1.1 → pillow==12.2.0 Not regenerating the lock files via pip-compile from scratch here so the change stays surgical and auditable; a full lock refresh can be a separate tidy-up PR. Security context (GHSA-whj4-6x5x-4v2j — FITS GZIP decompression bomb in Pillow, high severity, vulnerable range >= 10.3.0, < 12.2.0) is unchanged from da5b55a. Co-authored-by: Yaroslav Vasylenko <neuron7x@ukr.net>
1 parent 241d7b4 commit 2b0bbca

3 files changed

Lines changed: 3 additions & 3 deletions

File tree

requirements-dev.lock

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -395,7 +395,7 @@ pathspec==1.0.0
395395
# via
396396
# black
397397
# mypy
398-
pillow==12.1.1
398+
pillow==12.2.0
399399
# via
400400
# captcha
401401
# streamlit

requirements-scan.lock

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -75,7 +75,7 @@ optuna==3.6.2
7575
packaging==25.0
7676
pandas==2.3.3
7777
pandera==0.26.1
78-
pillow==12.1.1
78+
pillow==12.2.0
7979
prometheus-client==0.23.1
8080
propcache==0.4.1
8181
protobuf==6.33.5

requirements.lock

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -285,7 +285,7 @@ pandera==0.26.1
285285
# via
286286
# -c constraints/security.txt
287287
# geosync (pyproject.toml)
288-
pillow==12.1.1
288+
pillow==12.2.0
289289
# via
290290
# captcha
291291
# streamlit

0 commit comments

Comments
 (0)