Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BLD: update pillow dependency #15534

Merged
merged 1 commit into from Oct 27, 2019
Merged

BLD: update pillow dependency #15534

merged 1 commit into from Oct 27, 2019

Conversation

tacaswell
Copy link
Member

Pillow has a security issue for <6.2.0 (CVE-2019-16865).

This is in violation of our normal support window for dependencies,
however we are making an exception due to the CVE.

This may be too aggressive of a pinning from our down-stream
packagers, but they can patch this out if required.

PR Summary

PR Checklist

  • Has Pytest style unit tests
  • Code is Flake 8 compliant
  • New features are documented, with examples if plot related
  • Documentation is sphinx and numpydoc compliant
  • Added an entry to doc/users/next_whats_new/ if major new feature (follow instructions in README.rst there)
  • Documented in doc/api/api_changes.rst if API changed in a backward-incompatible way

@tacaswell
BLD: update pillow dependency
4a84674 
Pillow has a security issue for <6.2.0 (CVE-2019-16865).

This is in violation of our normal support window for dependencies,
however we are making an exception due to the CVE.
@tacaswell tacaswell added this to the v3.3.0 milestone Oct 26, 2019
@tacaswell
Copy link
Member Author

We only have a hard dependency on pillow on master branch.

@dstansby dstansby merged commit c684a79 into matplotlib:master Oct 27, 2019
@tacaswell tacaswell deleted the mnt_bump_pillow branch October 27, 2019 20:08
@timhoffm
Copy link
Member

Should we set up https://dependabot.com/ for the project? It would have warned and created this PR automatically.

@tacaswell
Copy link
Member Author

github them selves warned us (or at least me?) about this one.

@timhoffm
Copy link
Member

Ok, then at least you get the info already 😄.

@QuLogic
Copy link
Member

QuLogic commented Oct 28, 2019

TBH, I'm not really sure we need to do this regularly (having not looked at the CVE.) Patches could have been backported depending on where you get Pillow, so our requirement really should be about functionality.

@timhoffm timhoffm mentioned this pull request Oct 29, 2019
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@timhoffm timhoffm timhoffm approved these changes

@dstansby dstansby dstansby approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v3.3.0
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@tacaswell @timhoffm @QuLogic @dstansby