fix: add an explicit constraint on Pillow to block known-vulnerable versions

bradjin8 · bradjin8 · commit d9aa73ab593e · 2026-05-18T13:30:42.000-04:00
diff --git a/pyproject.toml b/pyproject.toml
@@ -18,6 +18,9 @@ requires-python = ">=3.11"
 dependencies = [
     "flask>=3.0,<4",
     "fpdf2>=2.7,<3",
+    # fpdf2 depends on Pillow; declare a floor + cap so resolvers cannot pick
+    # known-vulnerable Pillow releases while staying on Pillow 10.x.
+    "pillow>=10.0.0,<11",
 ]
 
 [project.optional-dependencies]

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,9 @@ requires-python = ">=3.11"`
`18`	`18`	`dependencies = [`
`19`	`19`	`"flask>=3.0,<4",`
`20`	`20`	`"fpdf2>=2.7,<3",`
	`21`	`+ # fpdf2 depends on Pillow; declare a floor + cap so resolvers cannot pick`
	`22`	`+ # known-vulnerable Pillow releases while staying on Pillow 10.x.`
	`23`	`+ "pillow>=10.0.0,<11",`
`21`	`24`	`]`
`22`	`25`
`23`	`26`	`[project.optional-dependencies]`