security: bump GitPython, Pillow, urllib3 to CVE-clean versions#5142
Open
mvillmow wants to merge 1 commit into
Open
security: bump GitPython, Pillow, urllib3 to CVE-clean versions#5142mvillmow wants to merge 1 commit into
mvillmow wants to merge 1 commit into
Conversation
The 3 transitively-installed libraries below were pinned to versions with known HIGH-severity CVEs flagged by Trivy. All bumps stay within the same major release line, so should be drop-in. - gitpython 3.1.46 -> 3.1.49 - CVE-2026-42215, -42284, -44243, -44244 - pillow 12.1.1 -> 12.2.0 - CVE-2026-42311 - urllib3 2.6.3 -> 2.7.0 - CVE-2026-44431
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bumps three transitively-pinned libraries to their lowest CVE-clean versions. Trivy scans of images built with
aider-chat==0.86.2reported 7 HIGH-severity CVEs across these three libraries.gitpython3.1.46 → 3.1.49 (CVE-2026-42215, -42284, -44243, -44244)pillow12.1.1 → 12.2.0 (CVE-2026-42311)urllib32.6.3 → 2.7.0 (CVE-2026-44431)Closes #5139
Closes #5140
Closes #5141
Files touched
The pins live in pip-tools /
uv pip compile-generated lockfiles, not inpyproject.toml. Edited in place:requirements.txtrequirements/common-constraints.txtrequirements/requirements-browser.txtrequirements/requirements-dev.txtrequirements/requirements-help.txtQuirks / things for the maintainer to double-check
uvwas not available in our environment, so the lockfiles were updated by hand rather than regenerated. The 3 changed pins are simple version-string swaps — no hashes are present in the existing lockfiles, so no hash regeneration was needed. Still, please runuv pip compile --no-strip-extras --constraint=requirements/common-constraints.txt --output-file=tmp.requirements.txt requirements/requirements.in(and the equivalent for the other.infiles) locally to confirm no transitive resolution drift before merging.Verification
aider --versionsmoke-tested in downstream consumer.Downstream context
Reported by the HomericIntelligence/AchaeanFleet team. We've worked around it locally by force-overriding the pins post-install, but a native upstream fix removes the need for that workaround everywhere.