Skip to content

chore(deps): bump pillow, django, uv to patch security vulnerabilities#213

Merged
matrixise merged 3 commits intomasterfrom
fix/pillow-cve-2026-40192
Apr 21, 2026
Merged

chore(deps): bump pillow, django, uv to patch security vulnerabilities#213
matrixise merged 3 commits intomasterfrom
fix/pillow-cve-2026-40192

Conversation

@matrixise
Copy link
Copy Markdown
Contributor

@matrixise matrixise commented Apr 21, 2026
edited
Loading

Summary

Patches Dependabot alert #165 plus pre-existing pip-audit findings that were blocking CI:

Pins were edited directly instead of re-running uv pip compile to keep the diff minimal and avoid unrelated churn from local vs. CI uv-version differences.

Test plan

@matrixise
chore(deps): bump pillow from 12.1.1 to 12.2.0 in /requirements
e76e3ab 
Fixes GHSA-whj4-6x5x-4v2j (CVE-2026-40192): FITS GZIP decompression bomb
in Pillow. Affected versions: >= 10.3.0, < 12.2.0.
@matrixise
chore(deps): bump django to 6.0.4 and uv to 0.11.7
2497cc4 
Fixes pip-audit findings blocking CI:
- django 6.0.3 -> 6.0.4: CVE-2026-33033, CVE-2026-33034, CVE-2026-4292,
  CVE-2026-4277, CVE-2026-3902
- uv 0.10.8 -> 0.11.7: GHSA-pjjw-68hj-v9mw
@matrixise matrixise changed the title chore(deps): bump pillow from 12.1.1 to 12.2.0 chore(deps): bump pillow, django, uv to patch security vulnerabilities Apr 21, 2026
@matrixise matrixise merged commit f5c0a2c into master Apr 21, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@matrixise