Skip to content

fix(deps): bump pillow to 12.3.0 to resolve GHSA-cfh3-3jmp-rvhc, GHSA-pwv6-vv43-88gr, GHSA-whj4-6x5x-4v2j, GHSA-xg8h-j46f-w952#81369

Closed
Aaron ("AJ") Steers (aaronsteers) wants to merge 1 commit into
masterfrom
devin/1782943614-security-pillow
Closed

fix(deps): bump pillow to 12.3.0 to resolve GHSA-cfh3-3jmp-rvhc, GHSA-pwv6-vv43-88gr, GHSA-whj4-6x5x-4v2j, GHSA-xg8h-j46f-w952#81369
Aaron ("AJ") Steers (aaronsteers) wants to merge 1 commit into
masterfrom
devin/1782943614-security-pillow

Conversation

@aaronsteers

Copy link
Copy Markdown
Member

What

Resolves multiple security vulnerabilities in pillow (transitive dependency) across 11 connectors:

Resolves https://github.com/airbytehq/airbyte-internal-issues/issues/16683

How

Regenerated poetry.lock files to upgrade pillow from various 11.x versions to 12.3.0 (which resolves all listed CVEs).

Since pillow 12.x requires Python >=3.10, the Python constraint in pyproject.toml was narrowed from ^3.9,<3.12 to ^3.10,<3.12 for 9 connectors that previously declared Python 3.9 support. The connector Docker base images use Python 3.10+, so this has no runtime impact.

No connector version bumps are included — these lockfile-only changes will ship with the next substantive release of each connector.

Affected connectors:

  • destination-astra
  • destination-chroma
  • destination-milvus
  • destination-pgvector
  • destination-pinecone
  • destination-qdrant
  • destination-snowflake-cortex
  • destination-weaviate
  • source-microsoft-onedrive
  • source-microsoft-sharepoint
  • source-sftp-bulk

Release notes review

Pillow 12.0 breaking changes include removal of ImageMath.eval(), ImageFile.raise_oserror(), BGR modes, and Python 3.9 support. These affect only code that directly calls removed APIs — none of the affected connectors use pillow directly (it's a transitive dep via unstructured, pdf2image, etc.), so no code changes are required.

Review guide

  1. pyproject.toml files — Python constraint narrowed from ^3.9 to ^3.10 (9 connectors)
  2. poetry.lock files — pillow version bumped to 12.3.0 (all 11 connectors)

User Impact

No user-facing impact. Pillow is a transitive dependency used internally for image processing. The security vulnerabilities are resolved without any behavioral change.

Can this PR be safely reverted and rolled back?

  • YES 💚

Link to Devin session: https://app.devin.ai/sessions/59d4b34347064db78249be17ddaafcc1
Requested by: Aaron ("AJ") Steers (@aaronsteers)

@devin-ai-integration

Copy link
Copy Markdown
Contributor

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment, CI, and merge conflict monitoring

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

👋 Greetings, Airbyte Team Member!

Here are some helpful tips and reminders for your convenience.

💡 Show Tips and Tricks

PR Slash Commands

Airbyte Maintainers (that's you!) can execute the following slash commands on your PR:

  • 🛠️ Quick Fixes
    • /format-fix - Fixes most formatting issues.
    • /bump-version - Bumps connector versions, scraping changelog description from the PR title.
      • Bump types: patch (default), minor, major, major_rc, rc, promote.
      • The rc type is a smart default: applies minor_rc if stable, or bumps the RC number if already RC.
      • The promote type strips the RC suffix to finalize a release.
      • Example: /bump-version type=rc or /bump-version type=minor
    • /bump-progressive-rollout-version - Alias for /bump-version type=rc. Bumps with an RC suffix and enables progressive rollout.
  • ❇️ AI Testing and Review (internal link: AI-SDLC Docs):
    • /ai-prove-fix - Runs prerelease readiness checks, including testing against customer connections.
    • /ai-canary-prerelease - Rolls out prerelease to 5-10 connections for canary testing.
    • /ai-review - AI-powered PR review for connector safety and quality gates.
  • 📝 AI Documentation:
    • /ai-docs-review - AI-powered documentation review for PRs with connector changes.
    • /ai-create-docs-pr - Creates a documentation PR for connector changes, stacked on the current PR.
  • 🚀 Connector Releases:
    • /publish-connectors-prerelease - Publishes pre-release connector builds (tagged as {version}-preview.{git-sha}) for all modified connectors in the PR.
  • ☕️ JVM connectors:
    • /update-connector-cdk-version connector=<CONNECTOR_NAME> - Updates the specified connector to the latest CDK version.
      Example: /update-connector-cdk-version connector=destination-bigquery
  • 🐍 Python connectors:
    • /poe connector source-example lock - Run the Poe lock task on the source-example connector, committing the results back to the branch.
    • /poe source example lock - Alias for /poe connector source-example lock.
    • /poe source example use-cdk-branch my/branch - Pin the source-example CDK reference to the branch name specified.
    • /poe source example use-cdk-latest - Update the source-example CDK dependency to the latest available version.
  • ⚙️ Admin commands:
    • /force-merge reason="<REASON>" - Force merges the PR using admin privileges, bypassing CI checks. Requires a reason.
      Example: /force-merge reason="CI is flaky, tests pass locally"
📚 Show Repo Guidance

Helpful Resources

📝 Edit this welcome message.

@devin-ai-integration devin-ai-integration Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.

Open in Devin Review

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

destination-pinecone Connector Test Results

29 tests   27 ✅  5s ⏱️
 2 suites   2 💤
 2 files     0 ❌

Results for commit 3b95f0e.

♻️ This comment has been updated with latest results.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

destination-milvus Connector Test Results

15 tests   13 ✅  5s ⏱️
 2 suites   2 💤
 2 files     0 ❌

Results for commit 3b95f0e.

♻️ This comment has been updated with latest results.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

destination-astra Connector Test Results

15 tests   15 ✅  1s ⏱️
 1 suites   0 💤
 1 files     0 ❌

Results for commit 3b95f0e.

♻️ This comment has been updated with latest results.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

destination-chroma Connector Test Results

12 tests   12 ✅  2s ⏱️
 1 suites   0 💤
 1 files     0 ❌

Results for commit 3b95f0e.

♻️ This comment has been updated with latest results.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

destination-pgvector Connector Test Results

7 tests   5 ✅  13s ⏱️
2 suites  2 💤
2 files    0 ❌

Results for commit 0edb699.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

destination-pgvector Connector Test Results

7 tests   5 ✅  9s ⏱️
2 suites  2 💤
2 files    0 ❌

Results for commit 3b95f0e.

♻️ This comment has been updated with latest results.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

source-microsoft-onedrive Connector Test Results

0 tests   0 ✅  0s ⏱️
1 suites  0 💤
1 files    0 ❌

Results for commit 3b95f0e.

♻️ This comment has been updated with latest results.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

destination-weaviate Connector Test Results

23 tests   21 ✅  4s ⏱️
 2 suites   2 💤
 2 files     0 ❌

Results for commit 3b95f0e.

♻️ This comment has been updated with latest results.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

destination-snowflake-cortex Connector Test Results

7 tests   5 ✅  12s ⏱️
2 suites  2 💤
2 files    0 ❌

Results for commit 3b95f0e.

♻️ This comment has been updated with latest results.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

destination-qdrant Connector Test Results

14 tests   14 ✅  3s ⏱️
 1 suites   0 💤
 1 files     0 ❌

Results for commit 3b95f0e.

♻️ This comment has been updated with latest results.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

source-microsoft-sharepoint Connector Test Results

67 tests   63 ✅  23s ⏱️
 2 suites   3 💤
 2 files     1 ❌

For more details on these failures, see this check.

Results for commit 3b95f0e.

♻️ This comment has been updated with latest results.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

source-sftp-bulk Connector Test Results

61 tests   59 ✅  12s ⏱️
 2 suites   2 💤
 2 files     0 ❌

Results for commit 3b95f0e.

♻️ This comment has been updated with latest results.

…-pwv6-vv43-88gr, GHSA-whj4-6x5x-4v2j, GHSA-xg8h-j46f-w952

Upgrade pillow from various 11.x versions to 12.3.0 across 11 connector
lockfiles to resolve multiple security vulnerabilities.

Pillow 12.x requires Python >=3.10, so the Python constraint was narrowed
from ^3.9,<3.12 to ^3.10,<3.12 for 9 connectors that previously supported
Python 3.9. This does not trigger connector releases since no version bump
is included.

Affected connectors:
- destination-astra
- destination-chroma
- destination-milvus
- destination-pgvector
- destination-pinecone
- destination-qdrant
- destination-snowflake-cortex
- destination-weaviate
- source-microsoft-onedrive
- source-microsoft-sharepoint
- source-sftp-bulk

Co-Authored-By: AJ Steers <aj@airbyte.io>
@devin-ai-integration devin-ai-integration Bot force-pushed the devin/1782943614-security-pillow branch from 0edb699 to 3b95f0e Compare July 1, 2026 23:40
@devin-ai-integration

Copy link
Copy Markdown
Contributor

Closing this multi-connector PR per updated playbook requirements. The new policy requires one PR per connector (unhealthy CI on one connector blocks all others in a combined PR). Will create individual PRs for each connector.


Devin session

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment