Skip to content

[Snyk] Security upgrade pillow from 9.2.0 to 12.3.0#29

Open
mandibles232 wants to merge 1 commit into
masterfrom
snyk-fix-59850fbaa48b2123ab0e2f47760f716c
Open

[Snyk] Security upgrade pillow from 9.2.0 to 12.3.0#29
mandibles232 wants to merge 1 commit into
masterfrom
snyk-fix-59850fbaa48b2123ab0e2f47760f716c

Conversation

@mandibles232

Copy link
Copy Markdown

snyk-top-banner

Snyk has created this PR to fix 4 vulnerabilities in the pip dependencies of this project.

Snyk changed the following file(s):

  • requirements.txt
⚠️ Warning
matplotlib 3.3.3 requires numpy, which is not installed.
matplotlib 3.3.3 requires pillow, which is not installed.
fpdf2 2.5.5 requires Pillow, which is not installed.

Breaking Change Risk

Merge Risk: High

Notice: This assessment is enhanced by AI.


Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.
  • Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

@mandibles232

Copy link
Copy Markdown
Author

Merge Risk: High

This major version upgrade from Pillow 9.2.0 to 12.3.0 includes multiple breaking changes across three major versions (10.x, 11.x, 12.x). The changes involve dropped support for end-of-life Python versions and the removal of several deprecated APIs.

Key Breaking Changes:

  • Python Version Support:

    • Pillow 10.0.0 dropped support for Python 3.7.
    • Pillow 11.0.0 dropped support for Python 3.8.
    • Pillow 12.0.0 dropped support for Python 3.9.
      Your environment must be running Python 3.10 or newer.
  • API Removals & Changes:

    • im.category Removed (v10.0.0): The im.category attribute and related constants (Image.NORMAL, Image.SEQUENCE) have been removed. To check if an image is animated, you must now use getattr(im, "is_animated", False).
    • ImageFont String Length Limit (v10.0.0): To prevent denial-of-service attacks, a ValueError is now raised if text length exceeds ImageFont.MAX_STRING_LENGTH. This may affect applications rendering very long strings.
    • ImageCms Constants Removed (v12.0.0): Several constants and the versions() function in ImageCms were removed and replaced with the ImageCms.Flags class.
    • Internal/Deprecated API Removals: Several other deprecated or internal functions have been removed, including JpegImagePlugin.convert_dict_qtables, PyAccess, and ImageFile.raise_oserror().
  • Environment:

    • 32-bit wheels are no longer provided as of version 10.0.0.

Recommendation:
This upgrade requires careful validation. Developers must ensure their environment uses a supported Python version (3.10+). Code should be reviewed and updated to replace usage of removed APIs, especially for checking animated images and handling long text rendering. Thorough testing is essential before deployment.

Source: Pillow Release Notes

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants