fix: Add an explicit Pillow constraint to exclude known-vulnerable versions.

bradjin8 · bradjin8 · commit 84366c4be407 · 2026-05-18T17:58:54.000-04:00
diff --git a/pyproject.toml b/pyproject.toml
@@ -18,6 +18,9 @@ requires-python = ">=3.10"
 dependencies = [
     "flask>=3.0,<4",
     "fpdf2>=2.7,<3",
+    # Security floor: fpdf2 allows Pillow>=8.3.2, so 9.x can still be resolved.
+    # CVE-2024-28219 (buffer overflow) fixed in Pillow 10.3.0 — https://nvd.nist.gov/vuln/detail/CVE-2024-28219
+    "pillow>=10.3.0",
 ]
 
 [project.optional-dependencies]
diff --git a/requirements.txt b/requirements.txt
@@ -6,4 +6,5 @@
 #         pip install -e ".[desktop]" (+ pywebview for the GUI launcher)
 flask>=3.0,<4
 fpdf2>=2.7,<3
+pillow>=10.3.0
 # pywebview is desktop-only — install with: pip install -e ".[desktop]"

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,9 @@ requires-python = ">=3.10"`
`18`	`18`	`dependencies = [`
`19`	`19`	`"flask>=3.0,<4",`
`20`	`20`	`"fpdf2>=2.7,<3",`
	`21`	`+ # Security floor: fpdf2 allows Pillow>=8.3.2, so 9.x can still be resolved.`
	`22`	`+ # CVE-2024-28219 (buffer overflow) fixed in Pillow 10.3.0 — https://nvd.nist.gov/vuln/detail/CVE-2024-28219`
	`23`	`+ "pillow>=10.3.0",`
`21`	`24`	`]`
`22`	`25`
`23`	`26`	`[project.optional-dependencies]`