whylogs icon indicating copy to clipboard operation
whylogs copied to clipboard

Published 20 hours ago verified publisher icon whylabs

Pillow vulnerabilities

Open matsair opened this issue 1 year ago • 2 comments

Description

There are multiple osv vulnerability issues with the Pillow 9.x package dependency. An update to 10.x (https://github.com/whylabs/whylogs/blob/mainline/python/pyproject.toml#L68) is currently not possible.

Some vulnerabilities:

  • https://osv.dev/vulnerability/GHSA-3f63-hfp8-52jq
  • https://osv.dev/GHSA-56pw-mpj4-fxww
  • https://osv.dev/GHSA-8ghj-p4vj-mr35

Steps to reproduce:

  • poetry install
  • osv-scanner --lockfile poetry.lock (https://github.com/google/osv-scanner)

image

Suggestions

Could we update Pillow to its latest version?

matsair avatar Feb 02 '24 16:02 matsair

This issue is stale. Remove stale label or it will be closed next week.

github-actions[bot] avatar May 13 '24 13:05 github-actions[bot]

changes merged to allow newer versions of PIL and updates lock file. Slated for next whylogs release, 1.4.1

jamie256 avatar May 23 '24 16:05 jamie256

released in version 1.4.1

jamie256 avatar Jun 18 '24 15:06 jamie256