Skip to content

BLD: update pillow dependency#15534

Merged
dstansby merged 1 commit intomatplotlib:masterfrom
tacaswell:mnt_bump_pillow
Oct 27, 2019
Merged

BLD: update pillow dependency#15534
dstansby merged 1 commit intomatplotlib:masterfrom
tacaswell:mnt_bump_pillow

Conversation

@tacaswell
Copy link
Copy Markdown
Member

@tacaswell tacaswell commented Oct 26, 2019

Pillow has a security issue for <6.2.0 (CVE-2019-16865).

This is in violation of our normal support window for dependencies,
however we are making an exception due to the CVE.

This may be too aggressive of a pinning from our down-stream
packagers, but they can patch this out if required.

PR Summary

PR Checklist

  • Has Pytest style unit tests
  • Code is Flake 8 compliant
  • New features are documented, with examples if plot related
  • Documentation is sphinx and numpydoc compliant
  • Added an entry to doc/users/next_whats_new/ if major new feature (follow instructions in README.rst there)
  • Documented in doc/api/api_changes.rst if API changed in a backward-incompatible way

@tacaswell
BLD: update pillow dependency
4a84674 
Pillow has a security issue for <6.2.0 (CVE-2019-16865).

This is in violation of our normal support window for dependencies,
however we are making an exception due to the CVE.
@tacaswell tacaswell added this to the v3.3.0 milestone Oct 26, 2019
@tacaswell
Copy link
Copy Markdown
Member Author

tacaswell commented Oct 26, 2019

We only have a hard dependency on pillow on master branch.

@dstansby dstansby merged commit c684a79 into matplotlib:master Oct 27, 2019
@tacaswell tacaswell deleted the mnt_bump_pillow branch October 27, 2019 20:08
@timhoffm
Copy link
Copy Markdown
Member

timhoffm commented Oct 28, 2019

Should we set up https://dependabot.com/ for the project? It would have warned and created this PR automatically.

@tacaswell
Copy link
Copy Markdown
Member Author

tacaswell commented Oct 28, 2019

github them selves warned us (or at least me?) about this one.

@timhoffm
Copy link
Copy Markdown
Member

timhoffm commented Oct 28, 2019

Ok, then at least you get the info already 😄.

@QuLogic
Copy link
Copy Markdown
Member

QuLogic commented Oct 28, 2019

TBH, I'm not really sure we need to do this regularly (having not looked at the CVE.) Patches could have been backported depending on where you get Pillow, so our requirement really should be about functionality.

@timhoffm timhoffm mentioned this pull request Oct 29, 2019
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@timhoffm timhoffm timhoffm approved these changes

@dstansby dstansby dstansby approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

v3.3.0

Development

Successfully merging this pull request may close these issues.

4 participants

@tacaswell @timhoffm @QuLogic @dstansby