Skip to content

fix(deps): upgrade Pillow to 12.1.1 to resolve CVE-2026-25990#233

Merged
kunickiaj merged 1 commit intomainfrom
03-15-fix_deps_upgrade_pillow_to_12.1.1_to_resolve_cve-2026-25990
Mar 15, 2026
Merged

fix(deps): upgrade Pillow to 12.1.1 to resolve CVE-2026-25990#233
kunickiaj merged 1 commit intomainfrom
03-15-fix_deps_upgrade_pillow_to_12.1.1_to_resolve_cve-2026-25990

Conversation

@kunickiaj
Copy link
Copy Markdown
Owner

@kunickiaj kunickiaj commented Mar 15, 2026
edited
Loading

Description

Upgrade Pillow from 11.3.0 to 12.1.1 to resolve CVE-2026-25990 (GHSA-cfh3-3jmp-rvhc), a high-severity out-of-bounds write when loading PSD images.

fastembed 0.7.4 caps pillow<12.0, but the fix has already merged upstream (qdrant/fastembed#611) — just no release yet. Added a [tool.uv] override-dependencies entry to force pillow>=12.1.1 past the cap. The override should be removed once fastembed >= 0.7.5 ships.

Type of Change

  • 🐛 Bug fix (fixes an issue)
  • 🔧 Maintenance (refactor, chore, CI, etc.)

Testing

  • Tests pass locally (pytest) — 769 passed
  • Manually verified uv sync resolves Pillow 12.1.1

Checklist

  • Code follows project style (ruff check and ruff format pass)
  • Self-review completed
  • No new warnings introduced

Fixes https://github.com/kunickiaj/codemem/security/dependabot/5

This was referenced Mar 15, 2026
Merged
Merged
Merged
@kunickiaj Graphite App
Copy link
Copy Markdown
Owner Author

kunickiaj commented Mar 15, 2026
edited
Loading

This stack of pull requests is managed by Graphite. Learn more about stacking.

@kunickiaj
fix(deps): upgrade Pillow to 12.1.1 to resolve CVE-2026-25990
3b43851 
Add uv override-dependencies for pillow>=12.1.1 to work around fastembed's
pillow<12.0 cap. fastembed main has the fix (PR #611) but no release yet.
The override can be removed once fastembed >= 0.7.5 ships.

Fixes: https://github.com/kunickiaj/codemem/security/dependabot/5
@kunickiaj kunickiaj changed the base branch from 03-15-feat_show_active_observer_auth_in_settings to graphite-base/233 March 15, 2026 18:30
@kunickiaj kunickiaj force-pushed the 03-15-fix_deps_upgrade_pillow_to_12.1.1_to_resolve_cve-2026-25990 branch from 1565703 to 3b43851 Compare March 15, 2026 18:31
@kunickiaj kunickiaj changed the base branch from graphite-base/233 to main March 15, 2026 18:31
@kunickiaj kunickiaj marked this pull request as ready for review March 15, 2026 18:37
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Mar 15, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3b43851a68

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread pyproject.toml
@kunickiaj kunickiaj merged commit 69c22c1 into main Mar 15, 2026
16 checks passed
@kunickiaj kunickiaj deleted the 03-15-fix_deps_upgrade_pillow_to_12.1.1_to_resolve_cve-2026-25990 branch March 15, 2026 18:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kunickiaj