fix(deps): update pillow (high)

[claude]

Summary

• Update pillow to >=12.1.1 on Python >=3.10 to resolve GHSA-cfh3-3jmp-rvhc (CVE-2026-25990, high severity out-of-bounds write when loading PSD images)
• Retain pillow>=10.4.0 for Python <3.10 since pillow 12.x requires Python >=3.10
• Regenerate uv.lock to include both version splits

Advisories resolved

GHSA ID	CVE	Severity	Patched version
GHSA-cfh3-3jmp-rvhc	CVE-2026-25990	high	12.1.1

Lockfiles modified

• requirements-test.txt
• uv.lock
• pyproject.toml

Unresolved alerts

• Python <3.10: pillow 12.1.1 requires Python >=3.10, so builds on Python 3.8/3.9 still use pillow >=10.4.0 which remains in the vulnerable range. There is no patched version of pillow available for Python <3.10.

Test plan

• uv lock regenerated successfully
• uv run make format passes
• uv run make lint passes
• CI pipeline validates the update

Resolves #1131

🤖 Generated with Claude Code

[claude]

Review: fix(deps): update pillow (high) — CVE-2026-25990

Scope: dependency-only change (pyproject.toml, requirements-test.txt, uv.lock). No source or gen/ files were touched.

What was changed

Pillow is split into two markers:

• >=12.1.1 for Python ≥3.10 (patched version)
• >=10.4.0 for Python <3.10 (no patched version exists for that range)

The uv.lock is regenerated correctly: Python 3.9 resolves to pillow 10.4.0, Python ≥3.10 resolves to pillow 12.1.1.

Fix applied in this review

requirements-test.txt indentation inconsistency (committed and pushed):
The second Pillow line was missing the 2-space leading indent that every other line in the file uses. Fixed in commit 53f4505. uv pip strips leading whitespace so it was not functionally broken, but it violated the file's consistent formatting.

Observations (not blocking)

Pin semantics relaxed for Python <3.10:
requirements-test.txt changed from Pillow~=10.4.0 (>=10.4.0,<11.0.0) to Pillow>=10.4.0 (unbounded). Since this file is used exclusively for minimum-version testing (uv pip install -r requirements-test.txt installs the lowest satisfying version = 10.4.0), the change in semantics has no functional effect. Acceptable.

Python 3.9 remains in the vulnerable range:
Pillow 12.1.1 requires Python ≥3.10. The PR correctly identifies this in its "Unresolved alerts" section. There is no upstream fix available for Python 3.9. The lockfile pins 10.4.0 for Python 3.9, and minimum-version CI testing also resolves to 10.4.0. Nothing more can be done here without dropping Python 3.9 support.

types-pillow stubs not updated:
pyproject.toml retains types-pillow>=10.2.0.20240822. Since it is a lower bound (not a pin), the resolver will pick up the latest types-pillow, which includes Pillow 12.x stubs. No issue.

Verdict

The security fix is correctly structured. The lockfile regeneration is valid. One cosmetic defect was fixed inline. No further changes required.

[claude]

Review: fix(deps): update pillow (high)

Summary

The PR correctly addresses CVE-2026-25990 (GHSA-cfh3-3jmp-rvhc) by version-splitting Pillow at Python 3.10, which is the minimum required by Pillow 12.x. The logic in all three modified files (pyproject.toml, requirements-test.txt, uv.lock) is consistent and mechanically correct. No source code was changed, and src/viam/gen/ was not touched.

Issues

types-pillow stubs not updated (pyproject.toml line 30)

The lock file keeps types-pillow pinned at 10.2.0.20240822 (Pillow 10.x stubs) while Python ≥3.10 environments will now install Pillow 12.1.1. If Pillow 12.x exposes API changes not covered by the 10.x stubs, pyright will silently miss type errors in any code that calls Pillow APIs. A newer types-pillow release covering 12.x should be checked for and the constraint updated to >=12.1.1 if available.

Open-ended upper bound in requirements-test.txt (line 4)

The original Pillow~=10.4.0 (compatible-release: >=10.4.0, <11.0) was replaced with Pillow>=12.1.1 (no upper bound). The lock file pins the concrete version today, but future uv lock regenerations will freely resolve any Pillow ≥12.1.1. Consider >=12.1.1,<13 to guard against unexpected major-version upgrades (consistent with how pyproject.toml handles numpy: <1.25.0 / >=1.26.2).

See inline comments for exact locations.

Unresolved (acknowledged in PR description)

Python 3.8/3.9 remain on pillow>=10.4.0 which is in the vulnerable range for CVE-2026-25990. There is no patched Pillow for those Python versions. This is an accepted limitation, not a defect in the PR.

Verdict

The security fix is correct and the implementation is sound. The two observations above are non-blocking but should be addressed as follow-ups.