Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: bump pillow to major version #18134

Merged
merged 2 commits into from
Jan 25, 2022

Conversation

eschutho
Copy link
Member

SUMMARY
Bump Pillow optional dependency (used for taking web screenshots) to address several security vulnerabilities: https://www.cvedetails.com/product/27460/Python-Pillow.html?vendor_id=10210

The only breaking change on this major version of pillow is that it no longer supports Python 3.6, which Superset already doesn't allow.

TESTING INSTRUCTIONS
Make sure we are still able to generate thumbnails and reports with charts and dashboards screenshots

ADDITIONAL INFORMATION

  • Has associated issue:
  • Required feature flags:
  • Changes UI
  • Includes DB Migration (follow approval process in SIP-59)
    • Migration is atomic, supports rollback & is backwards-compatible
    • Confirm DB migration upgrade and downgrade tested
    • Runtime estimates and downtime expectations provided
  • Introduces new feature or API
  • Removes existing feature or API

@codecov
Copy link

codecov bot commented Jan 22, 2022

Codecov Report

Merging #18134 (758c0df) into master (88db2cc) will decrease coverage by 0.43%.
The diff coverage is 57.18%.

❗ Current head 758c0df differs from pull request most recent head 7ae73a7. Consider uploading reports for the commit 7ae73a7 to get more accurate results
Impacted file tree graph

@@            Coverage Diff             @@
##           master   #18134      +/-   ##
==========================================
- Coverage   66.36%   65.93%   -0.44%     
==========================================
  Files        1570     1584      +14     
  Lines       61767    62046     +279     
  Branches     6243     6273      +30     
==========================================
- Hits        40990    40907      -83     
- Misses      19178    19518     +340     
- Partials     1599     1621      +22     
Flag Coverage Δ
hive 52.15% <29.46%> (-1.07%) ⬇️
mysql ?
postgres 81.22% <57.82%> (-0.93%) ⬇️
presto 51.99% <29.46%> (-1.06%) ⬇️
python 81.62% <57.82%> (-0.98%) ⬇️
sqlite 80.92% <57.82%> (-0.93%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
...rt-controls/src/operators/rollingWindowOperator.ts 100.00% <ø> (ø)
...ui-chart-controls/src/operators/utils/constants.ts 100.00% <ø> (ø)
...superset-ui-core/src/query/types/PostProcessing.ts 100.00% <ø> (ø)
...ackages/superset-ui-core/src/utils/featureFlags.ts 100.00% <ø> (ø)
...src/BigNumber/BigNumberWithTrendline/buildQuery.ts 9.09% <ø> (ø)
...hart-echarts/src/MixedTimeseries/transformProps.ts 0.00% <0.00%> (ø)
...chart-echarts/src/Timeseries/Area/controlPanel.tsx 33.33% <0.00%> (-6.67%) ⬇️
.../plugin-chart-echarts/src/Timeseries/Area/index.ts 33.33% <0.00%> (-16.67%) ⬇️
...charts/src/Timeseries/Regular/Bar/controlPanel.tsx 33.33% <0.00%> (-6.67%) ⬇️
...-chart-echarts/src/Timeseries/Regular/Bar/index.ts 33.33% <0.00%> (-16.67%) ⬇️
... and 84 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 88db2cc...7ae73a7. Read the comment docs.

Copy link
Member

@dpgaspar dpgaspar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change log: https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst#900-2022-01-02

I dislike initial majors like this one. Any major problem with this version, will leave Superset vulnerable to its fix and release, without any possibility for user's being able to downgrade pillow or upgrade (it's the only current version).

Given the CVE's it's probably a good idea, what do you think about temporarily leaving a wider version interval?

@eschutho
Copy link
Member Author

eschutho commented Jan 25, 2022

Give the CVE's it's probably a good idea, what do you think about temporarily leaving a wider version interval?

Sounds good.. I widened the version range so that users can bump when they feel comfortable.

@eschutho eschutho merged commit 60db35c into apache:master Jan 25, 2022
@eschutho eschutho deleted the elizabeth/bump-pillow branch January 25, 2022 17:51
jinghua-qa pushed a commit to preset-io/superset that referenced this pull request Jan 25, 2022
* bump pillow to major version

* make a wider range for pillow dependency versions

(cherry picked from commit 60db35c)
shcoderAlex pushed a commit to casual-precision/superset that referenced this pull request Feb 7, 2022
* bump pillow to major version

* make a wider range for pillow dependency versions
ofekisr pushed a commit to nielsen-oss/superset that referenced this pull request Feb 8, 2022
* bump pillow to major version

* make a wider range for pillow dependency versions
bwang221 pushed a commit to casual-precision/superset that referenced this pull request Feb 10, 2022
* bump pillow to major version

* make a wider range for pillow dependency versions
@mistercrunch mistercrunch added 🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels 🚢 1.5.0 labels Mar 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels preset:2022.3 preset-io size/S 🚢 1.5.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants