[Snyk] Security upgrade pillow from 9.5.0 to 12.3.0#46
Conversation
…ts.txt to reduce vulnerabilities The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-PILLOW-17824465 - https://snyk.io/vuln/SNYK-PYTHON-PILLOW-17824466 - https://snyk.io/vuln/SNYK-PYTHON-PILLOW-17824468 - https://snyk.io/vuln/SNYK-PYTHON-PILLOW-17824469
|
This major version upgrade from Pillow 9.5.0 to 12.3.0 includes several significant breaking changes that require code modifications and environment updates. Key Breaking Changes:
Recommendation: This upgrade requires significant developer action. Before merging, you must:
Source: Pillow Changelog [1, 5]
|
|
Important Review skippedIgnore keyword(s) in the title. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Code Review
This pull request adds a pinned dependency on pillow>=12.3.0 in requirements.txt to mitigate a security vulnerability. However, since version 12.3.0 is currently unreleased on PyPI, this change will cause pip install to fail. It is recommended to downgrade the pinned version to >=12.2.0, which is the latest stable release containing the necessary security patches.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| @@ -1 +1,2 @@ | |||
| appengine-python-standard>=0.2.3 No newline at end of file | |||
| appengine-python-standard>=0.2.3 | |||
| pillow>=12.3.0 # not directly required, pinned by Snyk to avoid a vulnerability No newline at end of file | |||
There was a problem hiding this comment.
Pillow version 12.3.0 is currently unreleased on PyPI (the latest stable release is 12.2.0). Pinning >=12.3.0 will cause pip install to fail because it cannot resolve the dependency. To avoid breaking the build while still resolving the security vulnerabilities, please downgrade the pin to >=12.2.0, which is the latest stable release on PyPI and includes the security patches.
pillow>=12.2.0 # not directly required, pinned by Snyk to avoid a vulnerability
Snyk has created this PR to fix 4 vulnerabilities in the pip dependencies of this project.
Snyk changed the following file(s):
appengine/standard_python3/bundled-services/mail/wsgi/requirements.txtBreaking Change Risk
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.
Summary by cubic
Pin
pillowto 12.3.0+ in the mail WSGI service’s requirements to remove known vulnerabilities and ensure the library is installed. This satisfiesappengine-python-standard’s dependency and keeps image handling secure.Written for commit 64995ae. Summary will update on new commits.