Skip to content

Update dependency pillow to v12.2.0 [SECURITY] #249

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mishushakov merged 1 commit into from
Apr 15, 2026
+1 −1

Update dependency pillow to v12.2.0 [SECURITY]

ab13e8d
Select commit
Loading
Failed to load commit list.
Merged

Update dependency pillow to v12.2.0 [SECURITY] #249

Update dependency pillow to v12.2.0 [SECURITY]
ab13e8d
Select commit
Loading
Failed to load commit list.
Claude / Claude Code Review completed Apr 13, 2026 in 4m 20s

Code review found 1 important issue

Found 1 candidates, confirmed 1. See review comments for details.

Details

Severity Count
🔴 Important 1
🟡 Nit 0
🟣 Pre-existing 0
Severity File:Line Issue
🔴 Important template/requirements.txt:9 Security fix incomplete: chart_data_extractor/poetry.lock still pins vulnerable Pillow 12.1.1

Annotations

Check failure on line 9 in template/requirements.txt

See this annotation in the file changed.

@claude claude / Claude Code Review

Security fix incomplete: chart_data_extractor/poetry.lock still pins vulnerable Pillow 12.1.1 

This PR fixes CVE-2026-40192 in `template/requirements.txt` by upgrading Pillow to 12.2.0, but `chart_data_extractor/poetry.lock` still pins Pillow at 12.1.1 (line 599), leaving that environment exposed to the same FITS decompression bomb vulnerability. Run `poetry update pillow` in `chart_data_extractor/` and commit the updated lock file to complete the fix.
View more details on Claude