Summary
The e2b-desktop 2.3.0 artifacts published to PyPI declare a Pillow upper bound that contradicts the source repo:
- Published wheel / sdist metadata (PyPI):
pillow<12.0.0,>=11.1.0
- Source
packages/python-sdk/pyproject.toml (this repo, main): pillow = "^12.0.0" (i.e. >=12.0.0,<13.0.0)
These ranges are mutually exclusive, so the published wheel was clearly not built from current main. Most likely 2.3.0 was tagged/published before the Pillow bump in the source was merged (or without re-running the publish workflow afterwards).
Why this matters: forces installs onto a Pillow with two open High-severity CVEs
Because e2b-desktop 2.3.0 caps pillow<12.0.0, any project that depends on it gets pulled back to Pillow 11.x, which is affected by:
Dependabot/Renovate flags both alerts on any project that transitively depends on e2b-desktop 2.3.0, with no clean upgrade path because of the cap.
Today the only workaround is something like tool.uv.override-dependencies = ["pillow>=12.2.0"], which is uv-only and silently bypasses upstream constraints.
Suggested fix
Cut a patch release (e2b-desktop 2.3.1) from current main so the published wheel reflects the actual pillow = "^12.0.0" constraint and downstream users can pick up the patched Pillow >= 12.2.0.
Reproduction
pip download --no-deps e2b-desktop==2.3.0
unzip -p e2b_desktop-2.3.0-py3-none-any.whl '*.dist-info/METADATA' | grep -i pillow
# Requires-Dist: pillow (<12.0.0,>=11.1.0)
Thanks!
Summary
The
e2b-desktop2.3.0artifacts published to PyPI declare a Pillow upper bound that contradicts the source repo:pillow<12.0.0,>=11.1.0requires_distpackages/python-sdk/pyproject.toml(this repo,main):pillow = "^12.0.0"(i.e.>=12.0.0,<13.0.0)These ranges are mutually exclusive, so the published wheel was clearly not built from current
main. Most likely2.3.0was tagged/published before the Pillow bump in the source was merged (or without re-running the publish workflow afterwards).Why this matters: forces installs onto a Pillow with two open High-severity CVEs
Because
e2b-desktop 2.3.0capspillow<12.0.0, any project that depends on it gets pulled back to Pillow 11.x, which is affected by:>=10.3.0,<12.1.1. Fixed in 12.1.1. GHSA-cfh3-3jmp-rvhc>=10.3.0,<12.2.0. Fixed in 12.2.0. GHSA-whj4-6x5x-4v2jDependabot/Renovate flags both alerts on any project that transitively depends on
e2b-desktop 2.3.0, with no clean upgrade path because of the cap.Today the only workaround is something like
tool.uv.override-dependencies = ["pillow>=12.2.0"], which is uv-only and silently bypasses upstream constraints.Suggested fix
Cut a patch release (
e2b-desktop 2.3.1) from currentmainso the published wheel reflects the actualpillow = "^12.0.0"constraint and downstream users can pick up the patched Pillow>= 12.2.0.Reproduction
Thanks!