Skip to content

fix(deps): clear pillow/click pip-audit CVEs#408

Merged
arekay-nv merged 1 commit into
mainfrom
fix/deps-pillow-click-cve
Jul 14, 2026
Merged

fix(deps): clear pillow/click pip-audit CVEs#408
arekay-nv merged 1 commit into
mainfrom
fix/deps-pillow-click-cve

Conversation

@arekay-nv

Copy link
Copy Markdown
Collaborator

What

Clears 6 newly-disclosed CVEs flagged by the audit CI job (uv run pip-audit):

Package How pulled in Was Now CVEs
Pillow direct pin 12.2.0 12.3.0 PYSEC-2026-2253/2254/2255/2256/2257
click transitive (transformers → typer) 8.3.2 8.4.2 PYSEC-2026-2132

Pillow is bumped in place; click is a transitive dep so it's floored via [tool.uv] constraint-dependencies = ["click>=8.3.3"]. Relock moves only these two packages.

Why separate

These CVEs published after main's last green audit run (2026-07-10), so main and all ~19 open PRs fail this job identically — it is not specific to any feature branch. Merging here lets every branch go green by rebasing/merging main, rather than each duplicating the lockfile edit (and colliding on uv.lock). Follows the precedent of prior fix(deps): CVE PRs (aiohttp #358, msgpack).

Verification

uv sync --frozen --extra dev --extra test --extra performance && uv run pip-auditNo known vulnerabilities found.

🤖 Generated with Claude Code

…p-audit CVEs

Pillow 12.2.0 carries PYSEC-2026-2253/54/55/56/57; click 8.3.2 (transitive
via transformers -> typer) carries PYSEC-2026-2132. Bumps the direct Pillow
pin and adds a [tool.uv] constraint floor for the transitive click. Relock
moves only click 8.3.2->8.4.2 and pillow 12.2.0->12.3.0.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@arekay-nv arekay-nv requested a review from a team July 13, 2026 18:49
@github-actions

Copy link
Copy Markdown

MLCommons CLA bot All contributors have signed the MLCommons CLA ✍️ ✅

@github-actions github-actions Bot requested a review from nvzhihanj July 13, 2026 18:49

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces dependency updates to address security vulnerabilities and upgrade package versions. Specifically, it adds a constraint dependency for click>=8.3.3 to mitigate CVE PYSEC-2026-2132, which upgrades click from 8.3.2 to 8.4.2 in the lockfile. Additionally, Pillow is upgraded from 12.2.0 to 12.3.0 in both pyproject.toml and uv.lock. There are no review comments, and I have no feedback to provide.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

@arekay-nv arekay-nv merged commit ca91f61 into main Jul 14, 2026
10 checks passed
@arekay-nv arekay-nv deleted the fix/deps-pillow-click-cve branch July 14, 2026 04:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants