fix(python-fastapi): bump pillow and python-dotenv for security advisories by cbullinger · Pull Request #108 · mongodb/docs-sample-apps

cbullinger · 2026-05-06T12:55:46Z

Summary

Bumps direct and constrained dependencies in mflix/server/python-fastapi to patched versions reported by Dependabot.

pillow 12.1.1 → 12.2.0 (constraints in requirements.in, pin in requirements.txt)
python-dotenv 1.1.1 → 1.2.2

Alert	Package	Severity	Advisory
#51	pillow	High	GHSA-pwv6-vv43-88gr (CVE-2026-42311)
#50	pillow	Medium	GHSA-r73j-pqj5-w3x7 (CVE-2026-42310)
#49	pillow	Medium	GHSA-wjx4-4jcj-g98j (CVE-2026-42308)
#48	pillow	Medium	GHSA-5xmw-vc9v-4wf2 (CVE-2026-42309)
#47	python-dotenv	Medium	GHSA-mf9w-mj56-hr94 (CVE-2026-28684)

requirements.txt pins match patched versions from advisories
CI / optional: pip install -r mflix/server/python-fastapi/requirements.txt in a clean environment

Made with Cursor

…ories - pillow 12.2.0 (CVE-2026-42308 through CVE-2026-42311, GHSA-5xmw-vc9v-4wf2, etc.) - python-dotenv 1.2.2 (CVE-2026-28684, GHSA-mf9w-mj56-hr94) Addresses Dependabot alerts #47-51 on mongodb/docs-sample-apps. Co-authored-by: Cursor <cursoragent@cursor.com>

cbullinger mentioned this pull request May 6, 2026

fix(python-fastapi): bump pillow and python-dotenv for security advisories #109

Merged