fix(deps): bump pillow to 12.3.0 to resolve GHSA-cfh3-3jmp-rvhc, GHSA-pwv6-vv43-88gr, GHSA-whj4-6x5x-4v2j, GHSA-xg8h-j46f-w952#81369
Conversation
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
👋 Greetings, Airbyte Team Member!Here are some helpful tips and reminders for your convenience. 💡 Show Tips and TricksPR Slash CommandsAirbyte Maintainers (that's you!) can execute the following slash commands on your PR:
📚 Show Repo GuidanceHelpful Resources
|
|
|
|
|
|
|
|
|
|
|
|
|
…-pwv6-vv43-88gr, GHSA-whj4-6x5x-4v2j, GHSA-xg8h-j46f-w952 Upgrade pillow from various 11.x versions to 12.3.0 across 11 connector lockfiles to resolve multiple security vulnerabilities. Pillow 12.x requires Python >=3.10, so the Python constraint was narrowed from ^3.9,<3.12 to ^3.10,<3.12 for 9 connectors that previously supported Python 3.9. This does not trigger connector releases since no version bump is included. Affected connectors: - destination-astra - destination-chroma - destination-milvus - destination-pgvector - destination-pinecone - destination-qdrant - destination-snowflake-cortex - destination-weaviate - source-microsoft-onedrive - source-microsoft-sharepoint - source-sftp-bulk Co-Authored-By: AJ Steers <aj@airbyte.io>
0edb699 to
3b95f0e
Compare
|
Closing this multi-connector PR per updated playbook requirements. The new policy requires one PR per connector (unhealthy CI on one connector blocks all others in a combined PR). Will create individual PRs for each connector. |
What
Resolves multiple security vulnerabilities in
pillow(transitive dependency) across 11 connectors:Resolves https://github.com/airbytehq/airbyte-internal-issues/issues/16683
How
Regenerated
poetry.lockfiles to upgrade pillow from various 11.x versions to 12.3.0 (which resolves all listed CVEs).Since pillow 12.x requires Python >=3.10, the Python constraint in
pyproject.tomlwas narrowed from^3.9,<3.12to^3.10,<3.12for 9 connectors that previously declared Python 3.9 support. The connector Docker base images use Python 3.10+, so this has no runtime impact.No connector version bumps are included — these lockfile-only changes will ship with the next substantive release of each connector.
Affected connectors:
Release notes review
Pillow 12.0 breaking changes include removal of
ImageMath.eval(),ImageFile.raise_oserror(), BGR modes, and Python 3.9 support. These affect only code that directly calls removed APIs — none of the affected connectors use pillow directly (it's a transitive dep viaunstructured,pdf2image, etc.), so no code changes are required.Review guide
pyproject.tomlfiles — Python constraint narrowed from^3.9to^3.10(9 connectors)poetry.lockfiles — pillow version bumped to 12.3.0 (all 11 connectors)User Impact
No user-facing impact. Pillow is a transitive dependency used internally for image processing. The security vulnerabilities are resolved without any behavioral change.
Can this PR be safely reverted and rolled back?
Link to Devin session: https://app.devin.ai/sessions/59d4b34347064db78249be17ddaafcc1
Requested by: Aaron ("AJ") Steers (@aaronsteers)