chore(deps): update dependency pillow to v12.1.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
Pillow (changelog)	12.1.0 → 12.1.1

GitHub Vulnerability Alerts

CVE-2026-25990

Impact

An out-of-bounds write may be triggered when loading a specially crafted PSD image. Pillow >= 10.3.0 users are affected.

Patches

Pillow 12.1.1 will be released shortly with a fix for this.

Workarounds

Image.open() has a formats parameter that can be used to prevent PSD images from being opened.

References

Pillow 12.1.1 will add release notes at https://pillow.readthedocs.io/en/stable/releasenotes/index.html

---

Release Notes

python-pillow/Pillow (Pillow)

v12.1.1

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

License Issues

poetry.lock

Package	Version	License	Issue Type
pillow	12.1.1	Null	Unknown License

OpenSSF Scorecard

Package	Version	Score	Details
pip/pillow	12.1.1	🟢 7.6	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 23 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 8 Found 9/11 approved changesets -- score normalized to 8 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices 🟢 5 badge detected: Passing License 🟢 9 license file detected Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ -1 no releases found Vulnerabilities 🟢 10 0 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches

Scanned Files

• poetry.lock

[github-actions]

Coverage report

This PR does not seem to contain any modification to coverable code.

[github-actions]

Test Results (Python 3.14)

183 tests  ±0   183 ✅ ±0   18s ⏱️ ±0s
  1 suites ±0     0 💤 ±0 
  1 files   ±0     0 ❌ ±0 

Results for commit 644cfbb. ± Comparison against base commit b1fd94d.

♻️ This comment has been updated with latest results.

[github-actions]

Combined Test Results

  5 files  ±0    5 suites  ±0   1m 17s ⏱️ +5s
183 tests ±0  183 ✅ ±0  0 💤 ±0  0 ❌ ±0 
915 runs  ±0  915 ✅ ±0  0 💤 ±0  0 ❌ ±0 

Results for commit 644cfbb. ± Comparison against base commit b1fd94d.

♻️ This comment has been updated with latest results.