From e4af342692227ec2ae2c80ed25d42e81569a08ad Mon Sep 17 00:00:00 2001 From: Andy Chosak Date: Wed, 29 Nov 2023 13:34:40 -0500 Subject: [PATCH] Pin Pillow to 10.1.0 to make Snyk happy Snyk reports a vulnerability in Pillow versions < 10.0.0. We don't pin Pillow, which means that Wagtail in practice pulls in the most recent version, which is greater than 10.0.0, BUT for some reason this doesn't satisfy Snyk. Snyk keeps reporting this vulnerability on all of our cf.gov PRs. In order to make Snyk happy, let's pin Pillow to the currently installed version, which is 10.1.0. --- requirements/libraries.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/requirements/libraries.txt b/requirements/libraries.txt index 9d466c35021..daef1678da8 100644 --- a/requirements/libraries.txt +++ b/requirements/libraries.txt @@ -23,6 +23,7 @@ govdelivery==1.4.0 Jinja2==3.1.2 lxml==4.9.1 opensearch-py==2.2.0 +Pillow==10.1.0 psycopg2-binary==2.8.6 python-dateutil==2.8.2 regdown==1.0.7