Skip to content

Commit

Permalink
security: bump pillow to 10.2 to fix CVE-2022-22817 (#400)
Browse files Browse the repository at this point in the history 
Not a real problme since it's just a test dependency. Still here comes
the fix for
https://github.com/Guts/qgis-deployment-cli/security/dependabot/2

> Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code
Execution via the environment parameter, a different vulnerability than
CVE-2022-22817 (which was about the expression parameter).
  • Loading branch information
@Guts
Guts authored Jan 23, 2024
2 parents 30c5afd + 1ad5c12 commit 0793b57
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion requirements/testing.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,6 @@
# --------------------

GitPython>=3.1,<3.2
Pillow>=10.0.1,<10.2
Pillow>=10.2,<10.3
pytest-cov>=4,<4.2
validators>=0.20,<0.23

0 comments on commit 0793b57

Please sign in to comment.