-
Notifications
You must be signed in to change notification settings - Fork 14.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: bump pillow to major version #18134
Conversation
Codecov Report
@@ Coverage Diff @@
## master #18134 +/- ##
==========================================
- Coverage 66.36% 65.93% -0.44%
==========================================
Files 1570 1584 +14
Lines 61767 62046 +279
Branches 6243 6273 +30
==========================================
- Hits 40990 40907 -83
- Misses 19178 19518 +340
- Partials 1599 1621 +22
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Change log: https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst#900-2022-01-02
I dislike initial majors like this one. Any major problem with this version, will leave Superset vulnerable to its fix and release, without any possibility for user's being able to downgrade pillow or upgrade (it's the only current version).
Given the CVE's it's probably a good idea, what do you think about temporarily leaving a wider version interval?
Sounds good.. I widened the version range so that users can bump when they feel comfortable. |
* bump pillow to major version * make a wider range for pillow dependency versions (cherry picked from commit 60db35c)
* bump pillow to major version * make a wider range for pillow dependency versions
* bump pillow to major version * make a wider range for pillow dependency versions
* bump pillow to major version * make a wider range for pillow dependency versions
SUMMARY
Bump Pillow optional dependency (used for taking web screenshots) to address several security vulnerabilities: https://www.cvedetails.com/product/27460/Python-Pillow.html?vendor_id=10210
The only breaking change on this major version of pillow is that it no longer supports Python 3.6, which Superset already doesn't allow.
TESTING INSTRUCTIONS
Make sure we are still able to generate thumbnails and reports with charts and dashboards screenshots
ADDITIONAL INFORMATION