fix: create-pull-request v7; pillow version to 12

Author: bradjin8

.github/workflows/update-lock.yml

@@ -47,7 +47,7 @@ jobs:
           fi
 
       - name: Open PR if lock file changed
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676  # v7
         with:
           commit-message: "chore: update requirements-lock.txt"
           branch: "chore/update-lock-file"

pyproject.toml

@@ -18,9 +18,9 @@ requires-python = ">=3.10"
 dependencies = [
     "flask>=3.0,<4",
     "fpdf2>=2.7,<3",
-    # Security floor: fpdf2 allows Pillow>=8.3.2, so 9.x can still be resolved.
-    # CVE-2024-28219 (buffer overflow) fixed in Pillow 10.3.0 — https://nvd.nist.gov/vuln/detail/CVE-2024-28219
-    "pillow>=10.3.0,<11",
+    # Security floor: fpdf2 allows Pillow>=8.3.2 (no upper cap); pin 12.x to avoid
+    # known high-severity CVEs in Pillow 10.x (e.g. CVE-2024-28219 and later advisories).
+    "pillow>=12.2.0,<13",
 ]
 
 [project.optional-dependencies]

requirements-lock.txt

@@ -13,5 +13,5 @@ fpdf2==2.8.7              # via -r requirements.txt
 itsdangerous==2.2.0       # via flask
 jinja2==3.1.6             # via flask
 markupsafe==3.0.3         # via flask, jinja2, werkzeug
-pillow==10.4.0            # via -r requirements.txt, fpdf2
+pillow==12.2.0            # via -r requirements.txt, fpdf2
 werkzeug==3.1.8           # via flask

requirements.txt

@@ -6,5 +6,5 @@
 #         pip install -e ".[desktop]" (+ pywebview for the GUI launcher)
 flask>=3.0,<4
 fpdf2>=2.7,<3
-pillow>=10.3.0,<11
+pillow>=12.2.0,<13
 # pywebview is desktop-only — install with: pip install -e ".[desktop]"