From 82373cf938d4ec04016cb17e69c6ae30458019bb Mon Sep 17 00:00:00 2001 From: GruntworkAI Date: Sun, 19 Apr 2026 21:27:18 -0700 Subject: [PATCH] fix(ce-gemini-imagegen): bump Pillow floor to 10.3.0 to clear 4 CVEs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The `Pillow>=10.0.0` constraint admitted four CVEs affecting this skill's PIL.Image usage (imported in 5 scripts): | CVE | Severity | Pillow fix | |-------------------------|----------|------------| | PYSEC-2023-175 | critical | 10.0.1 | | GHSA-j7hp-h8jx-5ppr | high | 10.0.1 | | GHSA-3f63-hfp8-52jq | critical | 10.2.0 | | GHSA-44wm-f244-xhp3 | high | 10.3.0 | Bumping the floor to 10.3.0 eliminates all four in one hop. Added a comment above the pin so future contributors know why the floor was chosen and can bump again when the next Pillow CVE lands. Verified against OSV per-ecosystem fix data (PyPI Pillow specifically — osv-scanner's raw `fixed_versions` list surfaces cross-ecosystem values from libwebp / Electron that don't apply here). Provenance: surfaced by a Claude Code plugin static analyzer we're building (details in PR description). --- .../skills/ce-gemini-imagegen/requirements.txt | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/plugins/compound-engineering/skills/ce-gemini-imagegen/requirements.txt b/plugins/compound-engineering/skills/ce-gemini-imagegen/requirements.txt index 9b5d2330a..3a2656290 100644 --- a/plugins/compound-engineering/skills/ce-gemini-imagegen/requirements.txt +++ b/plugins/compound-engineering/skills/ce-gemini-imagegen/requirements.txt @@ -1,2 +1,5 @@ google-genai>=1.0.0 -Pillow>=10.0.0 +# Pillow floor bumped above the last known RCE-class CVE affecting this skill. +# 10.3.0 clears: PYSEC-2023-175, GHSA-j7hp-h8jx-5ppr (libwebp OOB), +# GHSA-3f63-hfp8-52jq (arbitrary code execution), GHSA-44wm-f244-xhp3. +Pillow>=10.3.0