Skip to content

chore(deps): Bump pillow and mako for security advisories#46

Merged
mverteuil merged 2 commits into
mainfrom
chore/security-upgrades
Apr 24, 2026
Merged

chore(deps): Bump pillow and mako for security advisories#46
mverteuil merged 2 commits into
mainfrom
chore/security-upgrades

Conversation

@mverteuil

@mverteuil mverteuil commented Apr 24, 2026

Copy link
Copy Markdown
Owner

Summary

Resolves open Dependabot alerts and removes unused install-tool declarations from runtime deps.

Lockfile bumps (existing constraints already permit):

Dep cleanup:

  • Removed pip and wheel from runtime dependencies — nothing in src/ imports them; they were install-tool plumbing in the wrong list. Unpinning them lets future upstream fixes (e.g. the open pip alert fix: Bump semgrep to v1.137.0 to fix CI pkg_resources error #35) flow in without pyproject churn.
  • setuptools remains in [build-system].requires for building the package.

Test plan

Resolves three open Dependabot alerts:
- pillow 11.3.0 → 12.2.0 (GHSA — PSD OOB write, FITS GZIP decompression bomb)
- mako 1.3.10 → 1.3.11 (GHSA — path traversal via double-slash in TemplateLookup)

No pyproject.toml changes required — the existing constraints already permit
these versions; only the lockfile moves. pip (26.0.1) has an open alert with
no patched version available and is left as-is.
pip and wheel were declared as runtime deps but nothing in src/ imports
them — they were installer-plumbing that ended up in the wrong list.
Removing them unpins them in the lockfile, so any future pip security
fix (e.g. Dependabot alert #35) will land via upstream upgrades
without a version bump here.

setuptools remains in [build-system].requires since it's used to build
the package itself.
@mverteuil mverteuil merged commit d6817fc into main Apr 24, 2026
8 checks passed
@mverteuil mverteuil deleted the chore/security-upgrades branch April 24, 2026 18:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant