⬆️(dependencies) pin pillow to v12.2.0 [SECURITY]#668
Conversation
Pillow 12.1.1 is vulnerable to CVE-2026-40192 (FITS GZIP decompression bomb). easy_thumbnails pulls pillow transitively with no upper bound, so enforce the floor via a uv constraint rather than a direct dependency bump.
|
| constraint-dependencies = [ | ||
| # Pin pillow above the version vulnerable to CVE-2026-40192 | ||
| # (FITS GZIP decompression bomb). Pulled transitively via | ||
| # easy_thumbnails, which has no upper bound on pillow. | ||
| "pillow>=12.2.0", |
There was a problem hiding this comment.
Not sure we need this, since this is the purpose of the lock file.
There was a problem hiding this comment.
I was concerned by the fact that the next uv lock|add|remove would override the value in the lock file automatically 🤔 Do you think we are safe or not doing this only in the lock file?
There was a problem hiding this comment.
I don't think uv would downgrade a dependency except if a lib is requiring it explicitly. I don't have a strong opinion on this, you are right in the fact that it's explicit and if some dependency tries to downgrade, it will raise directly, instead of being detected afterward. So it's a good idea ;)
2 participants
Summary
decompression bomb that can be triggered by a crafted image.
easy_thumbnails, which has no upper bound, so a plain version bumpisn't an option.
[tool.uv] constraint-dependenciesentry pinningpillow>=12.2.0so any transitive pull picks up the patched release.