fix(deps): clear pillow/click pip-audit CVEs#408
Conversation
…p-audit CVEs Pillow 12.2.0 carries PYSEC-2026-2253/54/55/56/57; click 8.3.2 (transitive via transformers -> typer) carries PYSEC-2026-2132. Bumps the direct Pillow pin and adds a [tool.uv] constraint floor for the transitive click. Relock moves only click 8.3.2->8.4.2 and pillow 12.2.0->12.3.0. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
MLCommons CLA bot All contributors have signed the MLCommons CLA ✍️ ✅ |
There was a problem hiding this comment.
Code Review
This pull request introduces dependency updates to address security vulnerabilities and upgrade package versions. Specifically, it adds a constraint dependency for click>=8.3.3 to mitigate CVE PYSEC-2026-2132, which upgrades click from 8.3.2 to 8.4.2 in the lockfile. Additionally, Pillow is upgraded from 12.2.0 to 12.3.0 in both pyproject.toml and uv.lock. There are no review comments, and I have no feedback to provide.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
What
Clears 6 newly-disclosed CVEs flagged by the
auditCI job (uv run pip-audit):Pillowclicktransformers → typer)Pillowis bumped in place;clickis a transitive dep so it's floored via[tool.uv] constraint-dependencies = ["click>=8.3.3"]. Relock moves only these two packages.Why separate
These CVEs published after
main's last greenauditrun (2026-07-10), somainand all ~19 open PRs fail this job identically — it is not specific to any feature branch. Merging here lets every branch go green by rebasing/mergingmain, rather than each duplicating the lockfile edit (and colliding onuv.lock). Follows the precedent of priorfix(deps):CVE PRs (aiohttp #358, msgpack).Verification
uv sync --frozen --extra dev --extra test --extra performance && uv run pip-audit→ No known vulnerabilities found.🤖 Generated with Claude Code