chore: bump pillow dependency#427
Conversation
The pillow library has recently released a CVE that we're interested in adopting in our project. However, the version of pillow is pinned in this project to version 11 which doesn't have this CVE backported to it. It looks like Pillow is mainly provided for use in a CLI and it only uses the `.open` and `.show`. I don't see anything that would break in the change log if we allowed people to move up past version 11. I realize that Pillow 12 is supported in the newer version of the SDK (and that's what I'm being prompted to upgrade too) but I'd like to patch this CVE before we make the move to the new SDK.
|
@brycelowe can you update the lockfile please before we can merge |
|
@blainekasten My apologies, I've updated the lockfile and pushed to my branch. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
pyproject.toml
Outdated
| { version = ">=1.26.0", python = ">=3.12" }, | ||
| ] | ||
| pillow = "^11.1.0" | ||
| pillow = ">=11.1.0,<13.0.0" |
There was a problem hiding this comment.
Lower bound still allows CVE-vulnerable Pillow versions
High Severity
The stated goal of this PR is to patch CVE-2026-25990, but the version constraint >=11.1.0,<13.0.0 still allows installing vulnerable Pillow versions (10.3.0 through 12.1.0 are affected, with the fix only in 12.1.1+). While the lockfile pins to 12.1.1, downstream consumers installing this as a library don't use the lockfile and their resolver may pick a vulnerable version. The vulnerability is an out-of-bounds write in Image.open() — the exact API used by this project. The lower bound needs to be >=12.1.1 to actually enforce the fix.
There was a problem hiding this comment.
@blainekasten I'm happy to bump the minimum here as well.
2 participants
The pillow library has recently released a CVE that we're interested in adopting in our project CVE-2026-25990. However, the version of pillow is pinned in this project to version 11 which doesn't have this CVE backported to it.
It looks like Pillow is mainly provided for use in a CLI and it only uses the
.openand.show. I don't see anything that would break in the change log if we allowed people to move up past version 11.I realize that Pillow 12 is supported in the newer version of the SDK (and that's what I'm being prompted to upgrade too) but I'd like to patch this CVE before we make the move to the new SDK.
Have you read the Contributing Guidelines?
Issue #426
Describe your changes
Relax the hard pin of version 11 to include version 12. The usage of Pillow in this SDK seems limited to the
.openand.showAPIs.Note
Medium Risk
Dependency major-version bump (Pillow 11→12) could introduce subtle runtime behavior changes for image handling, though the code change itself is limited to dependency/lock updates.
Overview
Updates the
pillowdependency constraint to>=12.1.1,<13.0.0(from the v11 range) to pull in the newer major release.Regenerates
poetry.lockwith Poetry 2.3.2, updating the locked Pillow artifact set/metadata and the lockfile content hash accordingly.Written by Cursor Bugbot for commit a506b33. This will update automatically on new commits. Configure here.