fix(deps): patch Pillow, pytest, vite, esbuild — closes 14 security alerts#23
Merged
Conversation
…lerts Bumps: * pillow >=11.0,<12 → >=12.2,<13 Closes 8 Pillow CVEs: PSD OOB write, PSD tile-extent integer overflow, FITS GZIP decompression bomb, integer overflow on fonts, heap buffer overflow on nested-list coordinates, PDF parsing infinite loop. * pytest >=8.0,<9 → >=9.0.3,<10 Closes the pytest tmpdir handling CVE. * pytest-asyncio >=0.23,<1 → >=1.0,<2 Required to resolve with pytest 9. * vite >=5.4.10 → >=6.4.2 Closes the vite optimised-deps .map path-traversal CVE (dev server). * vitest 2.1.4 → 3.2.4 Required to resolve with vite 6; also closes the vitest/vite-node transitive CVEs. * esbuild forced >=0.25.0 (via npm overrides) Closes the esbuild dev-server request-reading CVE (transitive via vite tooling). * vite.config.ts: pin build.target = 'es2022' to keep esbuild happy with modern destructuring syntax in dependencies, and reference vitest/config for typed test block. Verification: * uv lock + uv sync: 138 packages resolved cleanly. * pytest: 328 passed, 2 skipped (gluetun VPN smoke). * npm install + npm audit: 0 vulnerabilities. * vite build: 426 KB JS / 134 KB gzip. Note: the HuggingFace Transformers Trainer CVE alert was dismissed as not-affected — we use SentenceTransformer for inference-time embedding, never Trainer.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes 14 of the 15 Dependabot security alerts in one coordinated bump:
>=11.0,<12→>=12.2,<13>=8.0,<9→>=9.0.3,<10>=0.23,<1→>=1.0,<2^5.4.10→^6.4.2^2.1.4→^3.2.4>=0.25.0Dismissed (not-affected)
transformers— Trainer arbitrary code execution. We only useSentenceTransformerfor inference-time embedding;Traineris never imported or instantiated. Verified by grep acrosssrc/andtests/.Vite config note
Vite 6 tightened the default build target. Pinned
build.target = 'es2022'invite.config.tsto keep esbuild happy with modern destructuring syntax used by some deps. Also referencedvitest/configtypes for thetestblock (vite 6 narrowed its config typings).Verification
uv lock+uv sync: 138 packages resolved cleanly.pytest: 328 passed, 2 skipped (gluetun VPN smoke).npm install+npm audit: 0 vulnerabilities.vite build: 426 KB JS / 134 KB gzip.