Bump pillow from 10.4.0 to 11.0.0 #11079

dependabot · 2024-10-16T12:12:46Z

Bumps pillow from 10.4.0 to 11.0.0.

Release notes

11.0.0

https://pillow.readthedocs.io/en/stable/releasenotes/11.0.0.html

Changes

Do not create core image in TIFF seek() #8392 [@radarhere]

Removed custom build_openjpeg #8365 [@radarhere]

Support writing LONG8 offsets in AppendingTiffWriter #8417 [@radarhere]

Use ImageFile.MAXBLOCK when saving TIFF images #8461 [@radarhere]

Always raise warnings for deprecated feature checks #8459 [@radarhere]

Do not close provided file handles with libtiff when saving #8458 [@radarhere]

Revert "Skip QEMU-emulated wheels on workflow dispatch event" #8455 [@radarhere]

Support ImageFilter.BuiltinFilter for I;16* images #8438 [@radarhere]

[pre-commit.ci] pre-commit autoupdate #8448 [@pre-commit-ci]

Use ImagingCore.ptr instead of ImagingCore.id #8341 [@homm]

Simplified code #8445 [@radarhere]

Removed unused code #8447 [@radarhere]

Updated EPS mode when opening images without transparency #8281 [@Yay295]

Use transparency when combining P frames from APNGs #8443 [@radarhere]

Generate and upload attestations to PyPI #8441 [@hugovk]

Do not convert images unnecessarily in ImageEnhance #8431 [@radarhere]

Raise an error if path is compacted during mapping #8416 [@radarhere]

Support all resampling filters when resizing I;16* images #8422 [@radarhere]

Free memory on early return #8413 [@radarhere]

Cast int before potentially exceeding INT_MAX #8402 [@radarhere]

Prevent division by zero #8408 [@radarhere]

Check image value before use #8400 [@radarhere]

Use ruff check #8423 [@radarhere]

Change harfbuzz versions in wheels #8421 [@radarhere]

Use Capsule for WebP saving #8386 [@homm]

Fixed writing multiple StripOffsets to TIFF #8317 [@Yay295]

Updated macOS deployment target for PyPy on Intel to 10.15 #8414 [@radarhere]

Fix dereference before checking for NULL in ImagingTransformAffine #8398 [@PavlNekrasov]

Use transposed size after opening for TIFF images #8390 [@radarhere]

Improve ImageFont error messages #8338 [@yngvem]

Mention MAX_TEXT_CHUNK limit in PNG error message #8391 [@radarhere]

Cast Dib handle to int #8385 [@radarhere]

Updated macOS deployment target for Python >= 3.12 on Intel to 10.13 #8379 [@radarhere]

Removed unused ImagePath variable #8377 [@radarhere]

Change macos-14 to macos-latest #8376 [@radarhere]

Accept float stroke widths #8369 [@radarhere]

Remove comments #8370 [@radarhere]

Removed libffi-dev #8368 [@radarhere]

Improved handling of RGBA palettes when saving GIF images #8366 [@radarhere]

Support converting more modes to LAB by converting to RGBA first #8358 [@radarhere]

Optimize getbbox() and getextrema() routines #8194 [@homm]

Removed unused TiffImagePlugin IFD_LEGACY_API #8355 [@radarhere]

Handle duplicate EXIF header #8350 [@zakajd]

Use (void) for empty function parameters #8002 [@Yay295]

Return early from BoxBlur if either width or height is zero #8347 [@radarhere]

... (truncated)

Changelog

Sourced from pillow's changelog.

11.0.0 (2024-10-15)

Update licence to MIT-CMU #8460 [hugovk]

Conditionally define ImageCms type hint to avoid requiring core #8197 [radarhere]

Support writing LONG8 offsets in AppendingTiffWriter #8417 [radarhere]

Use ImageFile.MAXBLOCK when saving TIFF images #8461 [radarhere]

Do not close provided file handles with libtiff when saving #8458 [radarhere]

Support ImageFilter.BuiltinFilter for I;16* images #8438 [radarhere]

Use ImagingCore.ptr instead of ImagingCore.id #8341 [homm, radarhere, hugovk]

Updated EPS mode when opening images without transparency #8281 [Yay295, radarhere]

Use transparency when combining P frames from APNGs #8443 [radarhere]

Support all resampling filters when resizing I;16* images #8422 [radarhere]

Free memory on early return #8413 [radarhere]

Cast int before potentially exceeding INT_MAX #8402 [radarhere]

Check image value before use #8400 [radarhere]

Improved copying imagequant libraries #8420 [radarhere]

Use Capsule for WebP saving #8386 [homm, radarhere]

Fixed writing multiple StripOffsets to TIFF #8317 [Yay295, radarhere]

... (truncated)

Commits

204aae6 11.0.0 version bump
f2cc87b Update CHANGES.rst [ci skip]
c855e8e Merge pull request #8464 from radarhere/imagemath_type_hint
dc37515 Merge pull request #8463 from hugovk/update-3.13-date
c3d81d6 Update Python 3.13 release date
a60610c Added type hints
a5c58f2 Merge pull request #8460 from hugovk/mit-cmu
e74994e Update licence to MIT-CMU
b5e1115 Update CHANGES.rst [ci skip]
686b5e2 Merge pull request #8392 from radarhere/tiff_seek
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [pillow](https://github.com/python-pillow/Pillow) from 10.4.0 to 11.0.0. - [Release notes](https://github.com/python-pillow/Pillow/releases) - [Changelog](https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst) - [Commits](python-pillow/Pillow@10.4.0...11.0.0) --- updated-dependencies: - dependency-name: pillow dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>

dryrunsecurity · 2024-10-16T12:13:00Z

DryRun Security Summary

The provided code change in the requirements.txt file is a security-related update that upgrades the Pillow library from version 10.4.0 to 11.0.0, addressing potential security vulnerabilities and highlighting the importance of regularly reviewing and updating dependencies to ensure the overall security and stability of the web application.

Expand for full summary

Summary:

The code change in the provided requirements.txt file is a security-related update, updating the version of the Pillow library from 10.4.0 to 11.0.0. The Pillow library is a popular Python Imaging Library (PIL) that provides image processing capabilities, and is commonly used in web applications like the DefectDojo application.

From an application security perspective, this update is important because it addresses potential security vulnerabilities in the previous version of the Pillow library. Keeping dependencies up-to-date is a crucial aspect of maintaining the overall security of a web application. Additionally, the requirements.txt file includes several other dependencies, such as django, djangorestframework, cryptography, and psycopg, which are also important components of the DefectDojo application. Regularly reviewing and updating these dependencies is essential to ensure the application's security and stability.

Files Changed:

requirements.txt: The code change in this file updates the version of the Pillow library from 10.4.0 to 11.0.0. This is a security-related update, as the previous version 10.4.0 had known security vulnerabilities. Keeping dependencies up-to-date is a crucial aspect of maintaining the overall security of a web application.

Code Analysis

We ran 9 analyzers against 1 file and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer	Findings
Sensitive Files Analyzer	1 finding

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

mtesauro

Approved

Bumps [pillow](https://github.com/python-pillow/Pillow) from 10.4.0 to 11.0.0. - [Release notes](https://github.com/python-pillow/Pillow/releases) - [Changelog](https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst) - [Commits](python-pillow/Pillow@10.4.0...11.0.0) --- updated-dependencies: - dependency-name: pillow dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Oct 16, 2024

mtesauro approved these changes Oct 16, 2024

View reviewed changes

cneill approved these changes Oct 16, 2024

View reviewed changes

mtesauro merged commit ee451e0 into dev Oct 16, 2024
73 checks passed

dependabot bot deleted the dependabot/pip/dev/pillow-11.0.0 branch October 16, 2024 16:58

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump pillow from 10.4.0 to 11.0.0 #11079

Bump pillow from 10.4.0 to 11.0.0 #11079

dependabot bot commented on behalf of github Oct 16, 2024

dryrunsecurity bot commented Oct 16, 2024

mtesauro left a comment

Bump pillow from 10.4.0 to 11.0.0 #11079

Bump pillow from 10.4.0 to 11.0.0 #11079

Conversation

dependabot bot commented on behalf of github Oct 16, 2024

11.0.0

Changes

11.0.0 (2024-10-15)

dryrunsecurity bot commented Oct 16, 2024

DryRun Security Summary

Code Analysis

Riskiness

mtesauro left a comment

Choose a reason for hiding this comment