Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump pillow version to 10.3.0 #121

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Bump pillow version to 10.3.0 #121

wants to merge 1 commit into from

Conversation

Mestrace
Copy link

Addresses security vulnerabilities:

@phibos
Copy link
Collaborator

phibos commented Apr 19, 2024

Thanks for your time and your contribution. I fully understand that no one should run a system with vulnerable software. But should a library tell a user which version is the right one to use? Don't get me wrong but for example a user uses the system libraries lets say on Ubuntu 23.10. The pillow version shipped is 10.0.0-1ubuntu0.1 and CVE-2023-50447 has been fixed on 25 January 2024 (Source: https://changelogs.ubuntu.com/changelogs/pool/main/p/pillow/pillow_10.0.0-1ubuntu0.1/changelog).

If we specify a version range a user would be able to upgrade to the latest upstream version in an venv but could still use the system libraries if required.

pillow >= 10.0.1, < 11.0.0

We only have to modify the supported version range if there are breaking changes.

What do you think?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Mestrace @phibos