chore: bump pillow and python-multipart for CVEs, add SECURITY.md (#564)

johnnygreco · web-flow · commit 96481548521e · 2026-04-20T18:36:22.000-04:00
- pillow 12.1.1 -> 12.2.0 fixes CVE-2026-40192 (FITS GZIP decompression bomb) - python-multipart 0.0.22 -> 0.0.26 via workspace constraint (transitive via mcp) - add NVIDIA SECURITY.md disclosure policy
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,24 @@
+## Security
+
+NVIDIA is dedicated to the security and trust of our software products and services, including all source code repositories managed through our organization.
+
+If you need to report a security issue, please use the appropriate contact points outlined below. **Please do not report security vulnerabilities through GitHub.** If a potential security issue is inadvertently reported via a public issue or pull request, NVIDIA maintainers may limit public discussion and redirect the reporter to the appropriate private disclosure channels.
+
+## Reporting Potential Security Vulnerability in an NVIDIA Product
+
+To report a potential security vulnerability in any NVIDIA product:
+- Web: [Security Vulnerability Submission Form](https://www.nvidia.com/object/submit-security-vulnerability.html)
+- E-Mail: psirt@nvidia.com
+    - We encourage you to use the following PGP key for secure email communication: [NVIDIA public PGP Key for communication](https://www.nvidia.com/en-us/security/pgp-key)
+    - Please include the following information:
+   	 - Product/Driver name and version/branch that contains the vulnerability
+     - Type of vulnerability (code execution, denial of service, buffer overflow, etc.)
+   	 - Instructions to reproduce the vulnerability
+   	 - Proof-of-concept or exploit code
+   	 - Potential impact of the vulnerability, including how an attacker could exploit the vulnerability
+
+While NVIDIA currently does not have a bug bounty program, we do offer acknowledgement when an externally reported security issue is addressed under our coordinated vulnerability disclosure policy. Please visit our [Product Security Incident Response Team (PSIRT)](https://www.nvidia.com/en-us/security/psirt-policies/) policies page for more information.
+
+## NVIDIA Product Security
+
+For all security-related concerns, please visit NVIDIA's Product Security portal at https://www.nvidia.com/en-us/security
diff --git a/packages/data-designer-config/pyproject.toml b/packages/data-designer-config/pyproject.toml
@@ -22,7 +22,7 @@ dependencies = [
     "jinja2>=3.1.6,<4",
     "numpy>=1.23.5,<3",
     "pandas>=2.3.3,<3",
-    "pillow>=12.1.1,<13",
+    "pillow>=12.2.0,<13", # 12.2.0 fixes CVE-2026-40192 (FITS GZIP decompression bomb)
     "pyarrow>=19.0.1,<20", # Required for parquet I/O operations
     "pydantic[email]>=2.9.2,<3",
     "pygments>=2.20,<3",
diff --git a/pyproject.toml b/pyproject.toml
@@ -34,9 +34,11 @@ required-version = ">=0.7.10"
 # Minimum versions for transitive dependencies with known security vulnerabilities.
 # aiohttp 3.13.3: CVE-2026-22815, CVE-2026-34513 through CVE-2026-34525 (multiple DoS, CRLF injection, credential theft)
 # cryptography 46.0.6: CVE-2026-39892 (buffer overflow on Python >3.11)
+# python-multipart 0.0.22: security advisory (transitive via mcp)
 constraint-dependencies = [
     "aiohttp>=3.13.5",
     "cryptography>=46.0.7",
+    "python-multipart>=0.0.26",
 ]
 
 [dependency-groups]
diff --git a/uv.lock b/uv.lock
