From 37bda7b992dd11af4f7e5d7b55622752f179e31c Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 13 Apr 2026 19:41:25 +0000 Subject: [PATCH 1/2] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/astral-sh/uv-pre-commit: 0.11.3 → 0.11.6](https://github.com/astral-sh/uv-pre-commit/compare/0.11.3...0.11.6) - [github.com/astral-sh/ruff-pre-commit: v0.15.9 → v0.15.10](https://github.com/astral-sh/ruff-pre-commit/compare/v0.15.9...v0.15.10) - [github.com/pre-commit/mirrors-mypy: v1.20.0 → v1.20.1](https://github.com/pre-commit/mirrors-mypy/compare/v1.20.0...v1.20.1) --- .pre-commit-config.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 0f80383..0cfd87c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -20,12 +20,12 @@ repos: - id: check-toml - repo: https://github.com/astral-sh/uv-pre-commit - rev: 0.11.3 + rev: 0.11.6 hooks: - id: uv-lock - repo: https://github.com/astral-sh/ruff-pre-commit - rev: 'v0.15.9' + rev: 'v0.15.10' hooks: - id: ruff-check args: [--fix, --exit-non-zero-on-fix] @@ -34,7 +34,7 @@ repos: types_or: [python, jupyter] - repo: https://github.com/pre-commit/mirrors-mypy - rev: v1.20.0 + rev: v1.20.1 hooks: - id: mypy entry: python3 -m mypy --config-file pyproject.toml From 06ad46fee979912d929eef59d7b01ec89a560178 Mon Sep 17 00:00:00 2001 From: "aieng-bot[bot]" Date: Tue, 14 Apr 2026 00:34:39 +0000 Subject: [PATCH 2/2] chore: bump pillow to 12.2.0 and pytest to 9.0.3 to fix CVEs - Bump pillow>=12.2.0 to fix CVE-2026-40192 (GZIP decompression bomb in FITS image handling) - Bump pytest>=9.0.3 to fix CVE-2025-71176 (local privilege escalation via /tmp directory) Co-authored-by: aieng-bot --- pyproject.toml | 3 ++- uv.lock | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 1c05fda..5fce400 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -17,6 +17,7 @@ dependencies = [ "polars>=1.35.0", # High-performance DataFrame library for data operations "pyarrow>=18.1.0", # Required for Parquet support "matplotlib", + "pillow>=12.2.0", # Pinning version to address vulnerability CVE-2026-40192 "fonttools>=4.60.2", # Pinning version to address vulnerability GHSA-768j-98cg-p3fv "urllib3>=2.6.3", # Pinning version to address vulnerabilities GHSA-gm62-xv2j-4w53 and GHSA-2xpw-w6gg-jr37 "cryptography>=46.0.6", # Pinning version to address vulnerability GHSA-m959-cc7f-wv43 @@ -66,7 +67,7 @@ dev = [ "pip>=25.2", # Pinning version to address vulnerability GHSA-4xh5-x5gv-qwph "pip-audit>=2.7.3", "pre-commit>=4.1.0", - "pytest>=9.0.3", + "pytest>=9.0.3", # Pinning version to address vulnerability CVE-2025-71176 "pytest-asyncio>=0.25.2", "pytest-cov>=6.0.0", "pytest-mock>=3.14.0", diff --git a/uv.lock b/uv.lock index 9b96cc9..8c2bb3b 100644 --- a/uv.lock +++ b/uv.lock @@ -1034,6 +1034,7 @@ dependencies = [ { name = "numpy" }, { name = "pandas" }, { name = "pandas-gbq" }, + { name = "pillow" }, { name = "polars" }, { name = "pyarrow" }, { name = "pyasn1" }, @@ -1101,6 +1102,7 @@ requires-dist = [ { name = "numpy" }, { name = "pandas" }, { name = "pandas-gbq", specifier = ">=0.31.0" }, + { name = "pillow", specifier = ">=12.2.0" }, { name = "polars", specifier = ">=1.35.0" }, { name = "pyarrow", specifier = ">=18.1.0" }, { name = "pyasn1", specifier = ">=0.6.2" },