Dependency hygiene: add Dependabot gomod coverage and pin a non-vulnerable Pillow floor in docs

ciaranra · ciaranra · commit 1eb441e104c5 · 2026-05-22T15:43:15.000-06:00
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -62,3 +62,18 @@ updates:
     ignore:
       - dependency-name: "*"
         update-types: ["version-update:semver-patch", "version-update:semver-minor", "version-update:semver-major"]
+
+  # Go (gomod) - security updates only. Watches the Go module that was
+  # previously uncovered (its transitive tree had accumulated advisories).
+  - package-ecosystem: "gomod"
+    directory: "/go/pecos"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    groups:
+      go-security:
+        applies-to: security-updates
+        patterns: ["*"]
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-patch", "version-update:semver-minor", "version-update:semver-major"]
diff --git a/python/quantum-pecos/docs/requirements.txt b/python/quantum-pecos/docs/requirements.txt
@@ -1,4 +1,5 @@
 matplotlib==3.9.2
+pillow>=11.3.0  # security floor: Pillow is transitive via matplotlib; avoid known-vulnerable old releases
 networkx==3.3
 numpy==1.26.4
 scipy==1.14.1

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`matplotlib==3.9.2`
	`2`	`+pillow>=11.3.0 # security floor: Pillow is transitive via matplotlib; avoid known-vulnerable old releases`
`2`	`3`	`networkx==3.3`
`3`	`4`	`numpy==1.26.4`
`4`	`5`	`scipy==1.14.1`