Skip to content

fix(deps): bump pillow to 12.3.0 and click to 8.4.2#2097

Merged
JerrettDavis merged 1 commit into
headroomlabs-ai:mainfrom
lennney:fix/pillow-click-cve-2026-07
Jul 13, 2026
Merged

fix(deps): bump pillow to 12.3.0 and click to 8.4.2#2097
JerrettDavis merged 1 commit into
headroomlabs-ai:mainfrom
lennney:fix/pillow-click-cve-2026-07

Conversation

@lennney

@lennney lennney commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Description

Pip-audit found 6 vulnerabilities in 2 packages in the lockfile:

Package From To Vulns Fixed
click 8.3.1 8.4.2 PYSEC-2026-2132
pillow 12.2.0 12.3.0 PYSEC-2026-2253~2257

Closes #N/A (no issue filed — security workflow failure)

Type of Change

  • Bug fix (non-breaking)
  • New feature (non-breaking)
  • Breaking change
  • Documentation update

Changes Made

  • uv.lock: Upgraded click from 8.3.1 to 8.4.2, pillow from 12.2.0 to 12.3.0

Testing

  • uv lock --upgrade-package resolved cleanly
  • ruff check headroom/ passes
  • CLI import verified (click 8.4.2 loads correctly)
$ uv run python -c "import click; print(click.__version__)"
click: 8.4.2

$ uv tree --depth=1 | grep -E "click|pillow"
click v8.4.2
pillow v12.3.0 (extra: all)
pillow v12.3.0 (extra: image)

Real Behavior Proof

  • Environment: headroom main (upstream/main c365c7f), uv-managed Python 3.12
  • Exact command / steps: uv lock --upgrade-package "pillow>=12.3.0" --upgrade-package "click>=8.3.3" on upstream/main; then git diff --stat, uv run python -c "import click; print(click.__version__)"
  • Observed result: uv.lock only changed; click 8.3.1 → 8.4.2, pillow 12.2.0 → 12.3.0; ruff passes; no test regressions
  • Not tested: E2E proxy (dependency-only change — no code changes)

Review Readiness

  • I have performed a self-review
  • This PR is ready for human review

@lennney lennney marked this pull request as ready for review July 13, 2026 08:46
@github-actions

github-actions Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

PR governance

This PR follows the template and is marked ready for human review.

@github-actions github-actions Bot added the status: needs author action Pull request body or readiness checklist still needs author updates label Jul 13, 2026
Pip-audit CI found 6 vulnerabilities in 2 production dependencies:

- click 8.3.1 -> 8.4.2 (PYSEC-2026-2132: command injection
  in click.edit())
- pillow 12.2.0 -> 12.3.0 (PYSEC-2026-2253~2257: 5 CVEs
  covering decompression bomb bypass + Windows command injection)

Only uv.lock changed.
@lennney lennney force-pushed the fix/pillow-click-cve-2026-07 branch from 283f1fc to 2bdfa6d Compare July 13, 2026 10:18
@lennney lennney marked this pull request as draft July 13, 2026 10:21
@github-actions github-actions Bot removed the status: needs author action Pull request body or readiness checklist still needs author updates label Jul 13, 2026
@lennney lennney marked this pull request as ready for review July 13, 2026 11:06
@github-actions github-actions Bot added the status: ready for review Pull request body is complete and the author marked it ready for human review label Jul 13, 2026
@JerrettDavis JerrettDavis merged commit 8870b69 into headroomlabs-ai:main Jul 13, 2026
30 of 32 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

status: ready for review Pull request body is complete and the author marked it ready for human review

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants